GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-11 19:41:09 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HITACHI_ rev.JE3Z 465,76GB Running: 95gbcexd.exe; Driver: C:\Users\Pit\AppData\Local\Temp\uxtdapow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800037ae000 45 bytes [00, 10, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800037ae02f 23 bytes [00, 00, 10, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774f1360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774f1560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\services.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\services.exe[784] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\services.exe[784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\system32\services.exe[784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\services.exe[784] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff233e80 6 bytes JMP 0 .text C:\Windows\system32\services.exe[784] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd0950a0 6 bytes JMP 9b3 .text C:\Windows\system32\services.exe[784] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007728f874 6 bytes {JMP QWORD [RIP+0x8e107bc]} .text C:\Windows\system32\services.exe[784] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077294d4d 5 bytes {JMP QWORD [RIP+0x8e2b2e4]} .text C:\Windows\system32\services.exe[784] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000772a8c20 6 bytes {JMP QWORD [RIP+0x8dd7410]} .text C:\Windows\system32\services.exe[784] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\services.exe[784] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\services.exe[784] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\services.exe[784] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes JMP 0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000b750a0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes JMP 6c .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes JMP 45002d .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000c650a0 6 bytes {JMP QWORD [RIP+0x17af90]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff233e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[948] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000010850a0 6 bytes {JMP QWORD [RIP+0x18af90]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 79000026 .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x69dd64]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x657c98]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x397658]} .text C:\Windows\system32\nvvsvc.exe[1008] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x676cec]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[164] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[164] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff233e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[164] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[164] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000fe50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[636] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[636] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[636] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000010f50a0 6 bytes {JMP QWORD [RIP+0x15af90]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[716] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[716] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[716] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000010650a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes JMP 25e4380 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes JMP c3ebc3eb .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes JMP c64ac64a .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000013b50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1084] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1084] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000013c50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff233e80 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000fe50a0 6 bytes JMP 40001 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773bf2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773e9a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773f94c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000773f9630 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774187e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd482db0 5 bytes JMP 000007fffd470180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4837d0 7 bytes JMP 000007fffd4700d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd488ef0 6 bytes JMP 000007fffd470148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd49af60 5 bytes JMP 000007fffd470110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x69dd64]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x657c98]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x397658]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefefa89f0 8 bytes JMP 000007fffd4701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x676cec]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefefabe50 8 bytes JMP 000007fffd4701b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff377490 11 bytes JMP 000007fffd470228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1368] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff38bf00 7 bytes JMP 000007fffd470260 .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x69dd64]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x657c98]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x397658]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x676cec]} .text C:\Windows\system32\nvvsvc.exe[1380] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000018950a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 1D] .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes JMP 0 .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes JMP 43d9 .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\WLANExt.exe[1564] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000b950a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\conhost.exe[1572] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\conhost.exe[1572] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\conhost.exe[1572] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\conhost.exe[1572] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\conhost.exe[1572] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\conhost.exe[1572] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\conhost.exe[1572] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff233e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1656] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000010350a0 6 bytes {JMP QWORD [RIP+0x1eaf90]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 79000026 .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\taskhost.exe[1732] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000027450a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes JMP 30000 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes JMP 4 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes JMP 40080408 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x657c98]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x397658]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x676cec]} .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd0950a0 6 bytes JMP 9b3 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x69dd64]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x657c98]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x397658]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1912] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x676cec]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007769fb28 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007769fb2c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007769ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007769ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776a03d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776a03d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776a06f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776a06f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776a079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776a07a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776a07e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776a07e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776a0874 3 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776a0878 2 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ee3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ee3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076642c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000750b124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758e58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000758e7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000758ecbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000758ee743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753cee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753d7603 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753d835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755e1401 2 bytes JMP 76efb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755e1419 2 bytes JMP 76efb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755e1431 2 bytes JMP 76f78ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755e144a 2 bytes CALL 76ed48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755e14dd 2 bytes JMP 76f787a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755e14f5 2 bytes JMP 76f78978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755e150d 2 bytes JMP 76f78698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755e1525 2 bytes JMP 76f78a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755e153d 2 bytes JMP 76eefca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755e1555 2 bytes JMP 76ef68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755e156d 2 bytes JMP 76f78f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755e1585 2 bytes JMP 76f78ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755e159d 2 bytes JMP 76f7865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755e15b5 2 bytes JMP 76eefd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755e15cd 2 bytes JMP 76efb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755e16b2 2 bytes JMP 76f78e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755e16bd 2 bytes JMP 76f785f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773bf2e0 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773e9a30 7 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773f94c0 5 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000773f9630 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774187e0 7 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd482db0 5 bytes JMP 000007fffd470180 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4837d0 7 bytes JMP 000007fffd4700d8 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd488ef0 6 bytes JMP 000007fffd470148 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd49af60 5 bytes JMP 000007fffd470110 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x60dd64]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x5c7c98]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x397658]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefefa89f0 8 bytes JMP 000007fffd4701f0 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x5e6cec]} .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefefabe50 8 bytes JMP 000007fffd4701b8 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff377490 11 bytes JMP 000007fffd470228 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff38bf00 7 bytes JMP 000007fffd470260 .text C:\Windows\system32\taskeng.exe[1264] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000025a50a0 6 bytes JMP 9b3 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007769fb28 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007769fb2c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007769ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007769ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776a03d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776a03d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776a06f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776a06f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776a079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776a07a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776a07e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776a07e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776a0874 3 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776a0878 2 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ee3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ee3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076642c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000750b124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758e58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000758e7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000758ecbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000758ee743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753cee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753d7603 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753d835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755e1401 2 bytes JMP 76efb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755e1419 2 bytes JMP 76efb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755e1431 2 bytes JMP 76f78ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755e144a 2 bytes CALL 76ed48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755e14dd 2 bytes JMP 76f787a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755e14f5 2 bytes JMP 76f78978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755e150d 2 bytes JMP 76f78698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755e1525 2 bytes JMP 76f78a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755e153d 2 bytes JMP 76eefca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755e1555 2 bytes JMP 76ef68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755e156d 2 bytes JMP 76f78f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755e1585 2 bytes JMP 76f78ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755e159d 2 bytes JMP 76f7865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755e15b5 2 bytes JMP 76eefd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755e15cd 2 bytes JMP 76efb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755e16b2 2 bytes JMP 76f78e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1288] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755e16bd 2 bytes JMP 76f785f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000010c50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes JMP 43d9 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2088] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000be50a0 6 bytes {JMP QWORD [RIP+0xcaf90]} .text C:\Windows\system32\wbem\unsecapp.exe[2392] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\wbem\unsecapp.exe[2392] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\system32\wbem\unsecapp.exe[2392] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wbem\unsecapp.exe[2392] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\wbem\unsecapp.exe[2392] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\wbem\unsecapp.exe[2392] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\wbem\unsecapp.exe[2392] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes JMP 43d9 .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000ef50a0 4 bytes [FF, 25, 90, AF] .text C:\Windows\system32\wbem\wmiprvse.exe[2548] C:\Windows\system32\SSPICLI.DLL!EncryptMessage + 5 0000000000ef50a5 1 byte [00] .text C:\Windows\system32\svchost.exe[3064] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\svchost.exe[3064] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[3064] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[3064] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[3064] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[3064] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[3064] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[3064] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000fd50a0 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\system32\SearchIndexer.exe[1608] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x61dd64]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x5d7c98]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x5b7658]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x5f6cec]} .text C:\Windows\System32\spoolsv.exe[2956] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000022a50a0 6 bytes {JMP QWORD [RIP+0x2baf90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd0950a0 6 bytes JMP 9b3 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x6add64]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x667c98]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x647658]} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1492] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x686cec]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 1D] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 34] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x69dd64]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x657c98]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x397658]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x676cec]} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3088] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000014850a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773bf2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773e9a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773f94c0 5 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000773f9630 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774187e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd482db0 5 bytes JMP 000007fffd470180 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4837d0 7 bytes JMP 000007fffd4700d8 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd488ef0 6 bytes JMP 000007fffd470148 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd49af60 5 bytes JMP 000007fffd470110 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x69dd64]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x657c98]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x397658]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefefa89f0 8 bytes JMP 000007fffd4701f0 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x676cec]} .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefefabe50 8 bytes JMP 000007fffd4701b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe[3388] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd0950a0 6 bytes {JMP QWORD [RIP+0xcaf90]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007769fb28 3 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007769fb2c 2 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007769ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007769ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776a03d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776a03d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776a06f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776a06f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776a079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776a07a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776a07e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776a07e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776a0874 3 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776a0878 2 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ee3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ee3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076642c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755e1401 2 bytes JMP 76efb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755e1419 2 bytes JMP 76efb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755e1431 2 bytes JMP 76f78ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755e144a 2 bytes CALL 76ed48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755e14dd 2 bytes JMP 76f787a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755e14f5 2 bytes JMP 76f78978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755e150d 2 bytes JMP 76f78698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755e1525 2 bytes JMP 76f78a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755e153d 2 bytes JMP 76eefca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755e1555 2 bytes JMP 76ef68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755e156d 2 bytes JMP 76f78f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755e1585 2 bytes JMP 76f78ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755e159d 2 bytes JMP 76f7865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755e15b5 2 bytes JMP 76eefd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755e15cd 2 bytes JMP 76efb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755e16b2 2 bytes JMP 76f78e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755e16bd 2 bytes JMP 76f785f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753cee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753d7603 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753d835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758e58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000758e7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000758ecbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000758ee743 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3396] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000750b124e 6 bytes JMP 718d000a .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x6add64]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x667c98]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x647658]} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[3868] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x686cec]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007769fb28 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007769fb2c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007769ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007769ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776a03d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776a03d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776a06f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776a06f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776a079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776a07a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776a07e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776a07e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776a0874 3 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776a0878 2 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ee3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ee3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076642c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753cee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753d7603 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753d835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758e58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000758e7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000758ecbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000758ee743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000750b124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755e1401 2 bytes JMP 76efb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755e1419 2 bytes JMP 76efb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755e1431 2 bytes JMP 76f78ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755e144a 2 bytes CALL 76ed48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755e14dd 2 bytes JMP 76f787a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755e14f5 2 bytes JMP 76f78978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755e150d 2 bytes JMP 76f78698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755e1525 2 bytes JMP 76f78a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755e153d 2 bytes JMP 76eefca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755e1555 2 bytes JMP 76ef68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755e156d 2 bytes JMP 76f78f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755e1585 2 bytes JMP 76f78ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755e159d 2 bytes JMP 76f7865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755e15b5 2 bytes JMP 76eefd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755e15cd 2 bytes JMP 76efb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755e16b2 2 bytes JMP 76f78e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755e16bd 2 bytes JMP 76f785f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007769fb28 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007769fb2c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007769ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007769ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776a03d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776a03d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776a06f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776a06f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776a079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776a07a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776a07e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776a07e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776a0874 3 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776a0878 2 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076ee1409 7 bytes JMP 0000000172161fa0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ee3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ee3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076efb21b 5 bytes JMP 0000000172161eb0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076f78e24 7 bytes JMP 0000000172161ea0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076f78ea9 5 bytes JMP 0000000172161f90 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076f791ff 5 bytes JMP 0000000172161f20 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076641d29 5 bytes JMP 0000000172162730 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076641dd7 5 bytes JMP 0000000172162790 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076642ab1 5 bytes JMP 0000000172162800 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076642c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076642d17 5 bytes JMP 0000000172162980 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758e58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000758e7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000758ecbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000758ee743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000758fe96b 5 bytes JMP 0000000172161a20 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000758feba5 5 bytes JMP 0000000172161ab0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753cee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753d7603 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753d835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000750b124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000751c5ea5 5 bytes JMP 0000000172161df0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000751f9d0b 5 bytes JMP 0000000172161d70 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755e1401 2 bytes JMP 76efb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755e1419 2 bytes JMP 76efb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755e1431 2 bytes JMP 76f78ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755e144a 2 bytes CALL 76ed48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755e14dd 2 bytes JMP 76f787a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755e14f5 2 bytes JMP 76f78978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755e150d 2 bytes JMP 76f78698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755e1525 2 bytes JMP 76f78a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755e153d 2 bytes JMP 76eefca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755e1555 2 bytes JMP 76ef68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755e156d 2 bytes JMP 76f78f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755e1585 2 bytes JMP 76f78ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755e159d 2 bytes JMP 76f7865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755e15b5 2 bytes JMP 76eefd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755e15cd 2 bytes JMP 76efb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755e16b2 2 bytes JMP 76f78e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755e16bd 2 bytes JMP 76f785f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 00000000773bf2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 00000000773e9a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 00000000773f94c0 5 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW 00000000773f9630 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 00000000774187e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd482db0 5 bytes JMP 000007fffd470180 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4837d0 7 bytes JMP 000007fffd4700d8 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd488ef0 6 bytes JMP 000007fffd470148 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd49af60 5 bytes JMP 000007fffd470110 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x60dd64]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x5c7c98]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x397658]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefefa89f0 8 bytes JMP 000007fffd4701f0 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x5e6cec]} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefefabe50 8 bytes JMP 000007fffd4701b8 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff377490 11 bytes JMP 000007fffd470228 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[2888] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff38bf00 7 bytes JMP 000007fffd470260 .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\hkcmd.exe[3532] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773bf2e0 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773e9a30 7 bytes JMP 000000016fff00d8 .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773f94c0 5 bytes JMP 000000016fff0180 .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000773f9630 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774187e0 7 bytes JMP 000000016fff01b8 .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd482db0 5 bytes JMP 000007fffd470180 .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4837d0 7 bytes JMP 000007fffd4700d8 .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd488ef0 6 bytes JMP 000007fffd470148 .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd49af60 5 bytes JMP 000007fffd470110 .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x69dd64]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x657c98]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes JMP 0 .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefefa89f0 8 bytes JMP 000007fffd4701f0 .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x676cec]} .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefefabe50 8 bytes JMP 000007fffd4701b8 .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff377490 11 bytes JMP 000007fffd470228 .text C:\Windows\system32\igfxpers.exe[3584] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff38bf00 7 bytes JMP 000007fffd470260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773bf2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773e9a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773f94c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000773f9630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774187e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd482db0 5 bytes JMP 000007fffd470180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4837d0 7 bytes JMP 000007fffd4700d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd488ef0 6 bytes JMP 000007fffd470148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd49af60 5 bytes JMP 000007fffd470110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff377490 11 bytes JMP 000007fffd470228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff38bf00 7 bytes JMP 000007fffd470260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x69dd64]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x657c98]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x397658]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefefa89f0 8 bytes JMP 000007fffd4701f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x676cec]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3620] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefefabe50 8 bytes JMP 000007fffd4701b8 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000774f1430 8 bytes JMP 000000016ffe00d8 .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[4240] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[4240] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[4240] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[4240] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007769fb28 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007769fb2c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007769ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007769ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776a03d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776a03d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776a06f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776a06f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776a079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776a07a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776a07e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776a07e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776a0874 3 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776a0878 2 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ee3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ee3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076642c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000750b124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758e58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000758e7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000758ecbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000758ee743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753cee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753d7603 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753d835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755e1401 2 bytes JMP 76efb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755e1419 2 bytes JMP 76efb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755e1431 2 bytes JMP 76f78ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755e144a 2 bytes CALL 76ed48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755e14dd 2 bytes JMP 76f787a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755e14f5 2 bytes JMP 76f78978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755e150d 2 bytes JMP 76f78698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755e1525 2 bytes JMP 76f78a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755e153d 2 bytes JMP 76eefca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755e1555 2 bytes JMP 76ef68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755e156d 2 bytes JMP 76f78f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755e1585 2 bytes JMP 76f78ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755e159d 2 bytes JMP 76f7865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755e15b5 2 bytes JMP 76eefd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755e15cd 2 bytes JMP 76efb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755e16b2 2 bytes JMP 76f78e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755e16bd 2 bytes JMP 76f785f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007769fb28 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007769fb2c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007769ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007769ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776a03d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776a03d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776a06f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776a06f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776a079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776a07a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776a07e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776a07e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776a0874 3 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776a0878 2 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ee3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ee3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076642c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000750b124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753cee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753d7603 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753d835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758e58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000758e7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000758ecbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000758ee743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755e1401 2 bytes JMP 76efb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755e1419 2 bytes JMP 76efb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755e1431 2 bytes JMP 76f78ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755e144a 2 bytes CALL 76ed48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755e14dd 2 bytes JMP 76f787a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755e14f5 2 bytes JMP 76f78978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755e150d 2 bytes JMP 76f78698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755e1525 2 bytes JMP 76f78a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755e153d 2 bytes JMP 76eefca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755e1555 2 bytes JMP 76ef68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755e156d 2 bytes JMP 76f78f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755e1585 2 bytes JMP 76f78ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755e159d 2 bytes JMP 76f7865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755e15b5 2 bytes JMP 76eefd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755e15cd 2 bytes JMP 76efb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755e16b2 2 bytes JMP 76f78e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755e16bd 2 bytes JMP 76f785f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\spool\DRIVERS\x64\3\HP1006MC.EXE[3856] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\system32\spool\DRIVERS\x64\3\HP1006MC.EXE[3856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\spool\DRIVERS\x64\3\HP1006MC.EXE[3856] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\spool\DRIVERS\x64\3\HP1006MC.EXE[3856] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\spool\DRIVERS\x64\3\HP1006MC.EXE[3856] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\spool\DRIVERS\x64\3\HP1006MC.EXE[3856] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\spool\DRIVERS\x64\3\HP1006MC.EXE[3856] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007769fb28 3 bytes JMP 7133000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007769fb2c 2 bytes JMP 7133000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes JMP 7160000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes JMP 7160000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes JMP 713f000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes JMP 713f000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes JMP 7145000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes JMP 7145000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes JMP 713c000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes JMP 713c000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007769ff74 3 bytes JMP 7178000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007769ff78 2 bytes JMP 7178000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 7148000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 7148000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes JMP 716c000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes JMP 716c000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 7169000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 7169000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 7142000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 7142000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 712d000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 712d000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776a03d0 3 bytes JMP 717e000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776a03d4 2 bytes JMP 717e000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7181000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7181000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes JMP 715d000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes JMP 715d000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776a06f4 3 bytes JMP 7175000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776a06f8 2 bytes JMP 7175000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776a079c 3 bytes JMP 717b000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776a07a0 2 bytes JMP 717b000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776a07e4 3 bytes JMP 716f000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776a07e8 2 bytes JMP 716f000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776a0874 3 bytes JMP 7172000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776a0878 2 bytes JMP 7172000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes JMP 7139000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes JMP 7139000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 7130000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 7130000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes JMP 715a000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes JMP 715a000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes JMP 7136000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes JMP 7136000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes JMP 714b000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes JMP 714b000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes JMP 7166000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes JMP 7166000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes JMP 7163000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes JMP 7163000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076ee1409 7 bytes JMP 0000000172161fa0 .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ee3bbb 3 bytes JMP 719c000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ee3bbf 2 bytes JMP 719c000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076efb21b 5 bytes JMP 0000000172161eb0 .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076f78e24 7 bytes JMP 0000000172161ea0 .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076f78ea9 5 bytes JMP 0000000172161f90 .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076f791ff 5 bytes JMP 0000000172161f20 .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f784 6 bytes JMP 719f000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076641d29 5 bytes JMP 0000000172162730 .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076641dd7 5 bytes JMP 0000000172162790 .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076642ab1 5 bytes JMP 0000000172162800 .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076642c9e 4 bytes CALL 71ac0000 .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076642d17 5 bytes JMP 0000000172162980 .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753cee09 6 bytes JMP 7184000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753d7603 6 bytes JMP 7187000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753d835c 6 bytes JMP 718a000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758e58b3 6 bytes JMP 7190000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000758e7bcc 6 bytes JMP 7199000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000758ecbfb 6 bytes JMP 7193000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000758ee743 6 bytes JMP 7196000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000758fe96b 5 bytes JMP 0000000172161a20 .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000758feba5 5 bytes JMP 0000000172161ab0 .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000750b124e 6 bytes JMP 718d000a .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755e1401 2 bytes JMP 76efb21b C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755e1419 2 bytes JMP 76efb346 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755e1431 2 bytes JMP 76f78ea9 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755e144a 2 bytes CALL 76ed48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755e14dd 2 bytes JMP 76f787a2 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755e14f5 2 bytes JMP 76f78978 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755e150d 2 bytes JMP 76f78698 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755e1525 2 bytes JMP 76f78a62 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755e153d 2 bytes JMP 76eefca8 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755e1555 2 bytes JMP 76ef68ef C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755e156d 2 bytes JMP 76f78f61 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755e1585 2 bytes JMP 76f78ac2 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755e159d 2 bytes JMP 76f7865c C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755e15b5 2 bytes JMP 76eefd41 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755e15cd 2 bytes JMP 76efb2dc C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755e16b2 2 bytes JMP 76f78e24 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\OTL.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755e16bd 2 bytes JMP 76f785f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\notepad.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\notepad.exe[4700] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\notepad.exe[4700] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773bf2e0 5 bytes JMP 000000016fff0148 .text C:\Windows\notepad.exe[4700] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773e9a30 7 bytes JMP 000000016fff00d8 .text C:\Windows\notepad.exe[4700] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773f94c0 5 bytes JMP 000000016fff0180 .text C:\Windows\notepad.exe[4700] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000773f9630 5 bytes JMP 000000016fff0110 .text C:\Windows\notepad.exe[4700] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774187e0 7 bytes JMP 000000016fff01b8 .text C:\Windows\notepad.exe[4700] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd482db0 5 bytes JMP 000007fffd470180 .text C:\Windows\notepad.exe[4700] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4837d0 7 bytes JMP 000007fffd4700d8 .text C:\Windows\notepad.exe[4700] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd488ef0 6 bytes JMP 000007fffd470148 .text C:\Windows\notepad.exe[4700] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\notepad.exe[4700] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes JMP 0 .text C:\Windows\notepad.exe[4700] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd49af60 5 bytes JMP 000007fffd470110 .text C:\Windows\notepad.exe[4700] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x69dd64]} .text C:\Windows\notepad.exe[4700] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x657c98]} .text C:\Windows\notepad.exe[4700] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes JMP 0 .text C:\Windows\notepad.exe[4700] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefefa89f0 8 bytes JMP 000007fffd4701f0 .text C:\Windows\notepad.exe[4700] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x676cec]} .text C:\Windows\notepad.exe[4700] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefefabe50 8 bytes JMP 000007fffd4701b8 .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8b7c520]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8b2ec90]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x8eaebc0]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x8d4eac0]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e2ea50]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x8e4e970]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c4e900]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 6 bytes {JMP QWORD [RIP+0x8cce8a0]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x8cee850]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e0e830]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8eee640]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8c0e630]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d6e460]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8c6e420]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c2e3b0]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8cae380]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8c8e320]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x8e6e310]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x8ece300]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x8d8df90]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x8e8df00]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x8dad690]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x8d0d610]} .text C:\Windows\notepad.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x8d2d590]} .text C:\Windows\notepad.exe[4332] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x8cc24b0]} .text C:\Windows\notepad.exe[4332] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773bf2e0 5 bytes JMP 000000016fff0148 .text C:\Windows\notepad.exe[4332] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773e9a30 7 bytes JMP 000000016fff00d8 .text C:\Windows\notepad.exe[4332] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773f94c0 5 bytes JMP 000000016fff0180 .text C:\Windows\notepad.exe[4332] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000773f9630 5 bytes JMP 000000016fff0110 .text C:\Windows\notepad.exe[4332] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774187e0 7 bytes JMP 000000016fff01b8 .text C:\Windows\notepad.exe[4332] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd482db0 5 bytes JMP 000007fffd470180 .text C:\Windows\notepad.exe[4332] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4837d0 7 bytes JMP 000007fffd4700d8 .text C:\Windows\notepad.exe[4332] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd488ef0 6 bytes JMP 000007fffd470148 .text C:\Windows\notepad.exe[4332] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\notepad.exe[4332] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\notepad.exe[4332] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd49af60 5 bytes JMP 000007fffd470110 .text C:\Windows\notepad.exe[4332] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x69dd64]} .text C:\Windows\notepad.exe[4332] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x657c98]} .text C:\Windows\notepad.exe[4332] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes JMP 6c0070 .text C:\Windows\notepad.exe[4332] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefefa89f0 8 bytes JMP 000007fffd4701f0 .text C:\Windows\notepad.exe[4332] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x676cec]} .text C:\Windows\notepad.exe[4332] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefefabe50 8 bytes JMP 000007fffd4701b8 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8f5c520]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000774f1370 6 bytes {JMP QWORD [RIP+0x8c2ecc0]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8f0ec90]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x964ebc0]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000774f14d0 6 bytes {JMP QWORD [RIP+0x8c0eb60]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000774f14e0 6 bytes {JMP QWORD [RIP+0x8e6eb50]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x953eac0]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000774f1640 6 bytes {JMP QWORD [RIP+0x8e8e9f0]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 6 bytes {JMP QWORD [RIP+0x8cae980]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x95ee970]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c8e900]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 4 bytes [FF, 25, A0, E8] .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 5 00000000774f1795 1 byte [09] .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x94de850]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8bce640]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8bae630]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8cce420]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000774f1c90 6 bytes {JMP QWORD [RIP+0x8e0e3a0]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8d4e380]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8d0e320]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x960e310]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x966e300]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000774f1d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x956df90]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x962df00]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 6 bytes {JMP QWORD [RIP+0x8eade90]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 6 bytes {JMP QWORD [RIP+0x8cede60]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 6 bytes {JMP QWORD [RIP+0x8c6ddf0]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 6 bytes {JMP QWORD [RIP+0x8d2dda0]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000774f27a0 6 bytes {JMP QWORD [RIP+0x8d6d890]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x958d690]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000774f29c0 6 bytes {JMP QWORD [RIP+0x8eed670]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x94fd610]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x951d590]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000773862e0 6 bytes {JMP QWORD [RIP+0x8c99d50]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000077393a20 6 bytes {JMP QWORD [RIP+0x8cec610]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x94424b0]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773bf2e0 5 bytes JMP 000000016fff0148 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773e9a30 7 bytes JMP 000000016fff00d8 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773f94c0 5 bytes JMP 000000016fff0180 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000773f9630 5 bytes JMP 000000016fff0110 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000774016e0 6 bytes {JMP QWORD [RIP+0x8c3e950]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774187e0 7 bytes JMP 000000016fff01b8 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd482db0 5 bytes JMP 000007fffd450180 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4837d0 7 bytes JMP 000007fffd4500d8 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd488ef0 6 bytes JMP 000007fffd450148 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0D] .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd49af60 5 bytes JMP 000007fffd450110 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes JMP 0 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes JMP 8683e0 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes JMP 530045 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefefa89f0 8 bytes JMP 000007fffd4501f0 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes JMP 0 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefefabe50 8 bytes JMP 000007fffd4501b8 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefd7b687c 6 bytes {JMP QWORD [RIP+0x1f097b4]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefd7b8e30 6 bytes {JMP QWORD [RIP+0x1f87200]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefd7b995c 5 bytes [FF, 25, D4, 66, F6] .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefd7b99e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefd7b9ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefd7ba51c 6 bytes {JMP QWORD [RIP+0x1ee5b14]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefd7ba530 6 bytes {JMP QWORD [RIP+0x1ec5b00]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefd7ba5b0 5 bytes JMP ffffffff .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefd7ba5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefd7bbb28 6 bytes {JMP QWORD [RIP+0x1f24508]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefd7bbb3c 3 bytes [FF, 25, F4] .text D:\Pobrane\FRST64.exe[2604] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefd7bbb40 2 bytes [F4, 01] .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\IPHLPAPI.DLL!IcmpCloseHandle 000007fefa667cc0 6 bytes {JMP QWORD [RIP+0x118370]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\IPHLPAPI.DLL!IcmpSendEcho2Ex 000007fefa667f5c 6 bytes {JMP QWORD [RIP+0xd80d4]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\IPHLPAPI.DLL!IcmpCreateFile 000007fefa668250 6 bytes {JMP QWORD [RIP+0x47de0]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\IPHLPAPI.DLL!IcmpSendEcho 000007fefa668340 6 bytes JMP 0 .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\IPHLPAPI.DLL!IcmpSendEcho2 000007fefa66839c 6 bytes {JMP QWORD [RIP+0xb7c94]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\IPHLPAPI.DLL!Icmp6SendEcho2 000007fefa669ce0 6 bytes {JMP QWORD [RIP+0xf6350]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\IPHLPAPI.DLL!Icmp6CreateFile 000007fefa66a030 6 bytes {JMP QWORD [RIP+0x66000]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\SHELL32.dll!ShellExecuteExW 000007fefe047cb0 6 bytes {JMP QWORD [RIP+0xda8380]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\SHELL32.dll!SHOpenFolderAndSelectItems 000007fefe27cf84 6 bytes {JMP QWORD [RIP+0xb530ac]} .text D:\Pobrane\FRST64.exe[2604] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000037650a0 6 bytes {JMP QWORD [RIP+0x13af90]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8f5c520]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000774f1370 6 bytes {JMP QWORD [RIP+0x8c2ecc0]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8f0ec90]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x964ebc0]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000774f14d0 6 bytes {JMP QWORD [RIP+0x8c0eb60]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000774f14e0 6 bytes {JMP QWORD [RIP+0x8e6eb50]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x953eac0]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000774f1640 6 bytes {JMP QWORD [RIP+0x8e8e9f0]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 6 bytes {JMP QWORD [RIP+0x8cae980]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x95ee970]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c8e900]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 4 bytes [FF, 25, A0, E8] .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 5 00000000774f1795 1 byte [09] .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x94de850]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8bce640]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8bae630]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8cce420]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000774f1c90 6 bytes {JMP QWORD [RIP+0x8e0e3a0]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8d4e380]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8d0e320]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x960e310]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x966e300]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000774f1d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x956df90]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x962df00]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 6 bytes {JMP QWORD [RIP+0x8eade90]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 6 bytes {JMP QWORD [RIP+0x8cede60]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 6 bytes {JMP QWORD [RIP+0x8c6ddf0]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 6 bytes {JMP QWORD [RIP+0x8d2dda0]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000774f27a0 6 bytes {JMP QWORD [RIP+0x8d6d890]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x958d690]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000774f29c0 6 bytes {JMP QWORD [RIP+0x8eed670]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x94fd610]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x951d590]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000773862e0 6 bytes {JMP QWORD [RIP+0x8c99d50]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000077393a20 6 bytes {JMP QWORD [RIP+0x8cec610]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x94424b0]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000774016e0 6 bytes {JMP QWORD [RIP+0x8c3e950]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd488ef1 5 bytes {JMP QWORD [RIP+0xb7140]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[3932] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefd7b687c 6 bytes {JMP QWORD [RIP+0x3297b4]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefd7b8e30 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefd7b995c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefd7b99e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefd7b9ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefd7ba51c 6 bytes {JMP QWORD [RIP+0x305b14]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefd7ba530 6 bytes {JMP QWORD [RIP+0x2e5b00]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefd7ba5b0 5 bytes JMP 1000c .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefd7ba5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefd7bbb28 6 bytes {JMP QWORD [RIP+0x344508]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefd7bbb3c 3 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3932] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefd7bbb40 2 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3932] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff233e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[3932] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[3932] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000017b50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8f5c520]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000774f1370 6 bytes {JMP QWORD [RIP+0x8c2ecc0]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8f0ec90]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x964ebc0]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000774f14d0 6 bytes {JMP QWORD [RIP+0x8c0eb60]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000774f14e0 6 bytes {JMP QWORD [RIP+0x8e6eb50]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x953eac0]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000774f1640 6 bytes {JMP QWORD [RIP+0x8e8e9f0]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 6 bytes {JMP QWORD [RIP+0x8cae980]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x95ee970]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c8e900]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 4 bytes [FF, 25, A0, E8] .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 5 00000000774f1795 1 byte [09] .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x94de850]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8bce640]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8bae630]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8cce420]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000774f1c90 6 bytes {JMP QWORD [RIP+0x8e0e3a0]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8d4e380]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8d0e320]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x960e310]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x966e300]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000774f1d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x956df90]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x962df00]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 6 bytes {JMP QWORD [RIP+0x8eade90]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 6 bytes {JMP QWORD [RIP+0x8cede60]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 6 bytes {JMP QWORD [RIP+0x8c6ddf0]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 6 bytes {JMP QWORD [RIP+0x8d2dda0]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000774f27a0 6 bytes {JMP QWORD [RIP+0x8d6d890]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x958d690]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000774f29c0 6 bytes {JMP QWORD [RIP+0x8eed670]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x94fd610]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x951d590]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000773862e0 6 bytes {JMP QWORD [RIP+0x8c99d50]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000077393a20 6 bytes {JMP QWORD [RIP+0x8cec610]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x94424b0]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000774016e0 6 bytes {JMP QWORD [RIP+0x8c3e950]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd488ef1 5 bytes {JMP QWORD [RIP+0xb7140]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[908] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefd7b687c 6 bytes {JMP QWORD [RIP+0x3297b4]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefd7b8e30 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefd7b995c 6 bytes {JMP QWORD [RIP+0x3866d4]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefd7b99e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefd7b9ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefd7ba51c 6 bytes JMP 30 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefd7ba530 6 bytes JMP 2c633833 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefd7ba5b0 5 bytes JMP 1000c .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefd7ba5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefd7bbb28 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefd7bbb3c 3 bytes JMP 0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefd7bbb40 2 bytes JMP 0 .text C:\Windows\system32\svchost.exe[908] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff233e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[908] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[908] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000017b50a0 6 bytes {JMP QWORD [RIP+0xaaf90]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8f5c520]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000774f1370 6 bytes {JMP QWORD [RIP+0x8c2ecc0]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8f0ec90]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x964ebc0]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000774f14d0 6 bytes {JMP QWORD [RIP+0x8c0eb60]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000774f14e0 6 bytes {JMP QWORD [RIP+0x8e6eb50]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x953eac0]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000774f1640 6 bytes {JMP QWORD [RIP+0x8e8e9f0]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 6 bytes {JMP QWORD [RIP+0x8cae980]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x95ee970]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c8e900]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 4 bytes [FF, 25, A0, E8] .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 5 00000000774f1795 1 byte [09] .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x94de850]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8bce640]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8bae630]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8cce420]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000774f1c90 6 bytes {JMP QWORD [RIP+0x8e0e3a0]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8d4e380]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8d0e320]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x960e310]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x966e300]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000774f1d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x956df90]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x962df00]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 6 bytes {JMP QWORD [RIP+0x8eade90]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 6 bytes {JMP QWORD [RIP+0x8cede60]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 6 bytes {JMP QWORD [RIP+0x8c6ddf0]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 6 bytes {JMP QWORD [RIP+0x8d2dda0]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000774f27a0 6 bytes {JMP QWORD [RIP+0x8d6d890]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x958d690]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000774f29c0 6 bytes {JMP QWORD [RIP+0x8eed670]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x94fd610]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x951d590]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000773862e0 6 bytes {JMP QWORD [RIP+0x8c99d50]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000077393a20 6 bytes {JMP QWORD [RIP+0x8cec610]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x94424b0]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773bf2e0 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773e9a30 7 bytes JMP 000000016fff00d8 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773f94c0 5 bytes JMP 000000016fff0180 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000773f9630 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000774016e0 6 bytes {JMP QWORD [RIP+0x8c3e950]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774187e0 7 bytes JMP 000000016fff01b8 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd482db0 5 bytes JMP 000007fffd470180 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4837d0 7 bytes JMP 000007fffd4700d8 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd488ef0 6 bytes JMP 000007fffd470148 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 79000026 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0D] .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd49af60 5 bytes JMP 000007fffd470110 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff377490 11 bytes JMP 000007fffd470228 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff38bf00 7 bytes JMP 000007fffd470260 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x60dd64]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x5c7c98]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x397658]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefefa89f0 8 bytes JMP 000007fffd4701f0 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x5e6cec]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefefabe50 8 bytes JMP 000007fffd4701b8 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefd7b687c 6 bytes {JMP QWORD [RIP+0x3297b4]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefd7b8e30 6 bytes {JMP QWORD [RIP+0x3a7200]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefd7b995c 6 bytes {JMP QWORD [RIP+0x3866d4]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefd7b99e4 6 bytes JMP 3ac1 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefd7b9ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefd7ba51c 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefd7ba530 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefd7ba5b0 5 bytes JMP 30000 .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefd7ba5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefd7bbb28 6 bytes {JMP QWORD [RIP+0x344508]} .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefd7bbb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\DllHost.exe[3124] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefd7bbb40 2 bytes [36, 00] .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8f5c520]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000774f1370 6 bytes {JMP QWORD [RIP+0x8c2ecc0]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8f0ec90]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x964ebc0]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000774f14d0 6 bytes {JMP QWORD [RIP+0x8c0eb60]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000774f14e0 6 bytes {JMP QWORD [RIP+0x8e6eb50]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x953eac0]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000774f1640 6 bytes {JMP QWORD [RIP+0x8e8e9f0]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 6 bytes {JMP QWORD [RIP+0x8cae980]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x95ee970]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c8e900]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 4 bytes [FF, 25, A0, E8] .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 5 00000000774f1795 1 byte [09] .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x94de850]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8bce640]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8bae630]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8cce420]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000774f1c90 6 bytes {JMP QWORD [RIP+0x8e0e3a0]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8d4e380]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8d0e320]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x960e310]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x966e300]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000774f1d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x956df90]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x962df00]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 6 bytes {JMP QWORD [RIP+0x8eade90]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 6 bytes {JMP QWORD [RIP+0x8cede60]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 6 bytes {JMP QWORD [RIP+0x8c6ddf0]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 6 bytes {JMP QWORD [RIP+0x8d2dda0]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000774f27a0 6 bytes {JMP QWORD [RIP+0x8d6d890]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x958d690]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000774f29c0 6 bytes {JMP QWORD [RIP+0x8eed670]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x94fd610]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x951d590]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000773862e0 6 bytes {JMP QWORD [RIP+0x8c99d50]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000077393a20 6 bytes {JMP QWORD [RIP+0x8cec610]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x94424b0]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773bf2e0 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773e9a30 7 bytes JMP 000000016fff00d8 .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773f94c0 5 bytes JMP 000000016fff0180 .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000773f9630 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000774016e0 6 bytes {JMP QWORD [RIP+0x8c3e950]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774187e0 7 bytes JMP 000000016fff01b8 .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd482db0 5 bytes JMP 000007fffd470180 .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4837d0 7 bytes JMP 000007fffd4700d8 .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd488ef0 6 bytes JMP 000007fffd470148 .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes [FF, 25, 70, AC, 0D] .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd49af60 5 bytes JMP 000007fffd470110 .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefd7b687c 6 bytes {JMP QWORD [RIP+0x3297b4]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefd7b8e30 6 bytes {JMP QWORD [RIP+0x3a7200]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefd7b995c 6 bytes JMP 10000000 .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefd7b99e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefd7b9ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefd7ba51c 6 bytes {JMP QWORD [RIP+0x305b14]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefd7ba530 6 bytes {JMP QWORD [RIP+0x2e5b00]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefd7ba5b0 5 bytes [FF, 25, 80, 5A, 07] .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefd7ba5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefd7bbb28 6 bytes {JMP QWORD [RIP+0x344508]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefd7bbb3c 3 bytes JMP 0 .text C:\Windows\system32\notepad.exe[4740] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefd7bbb40 2 bytes JMP 0 .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x69dd64]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes {JMP QWORD [RIP+0x657c98]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x397658]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefefa89f0 8 bytes JMP 000007fffd4701f0 .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x676cec]} .text C:\Windows\system32\notepad.exe[4740] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefefabe50 8 bytes JMP 000007fffd4701b8 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000774c3b10 6 bytes {JMP QWORD [RIP+0x8f5c520]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000774f1370 6 bytes {JMP QWORD [RIP+0x8c2ecc0]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774f13a0 6 bytes {JMP QWORD [RIP+0x8f0ec90]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000774f1470 6 bytes {JMP QWORD [RIP+0x964ebc0]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000774f14d0 6 bytes {JMP QWORD [RIP+0x8c0eb60]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000774f14e0 6 bytes {JMP QWORD [RIP+0x8e6eb50]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774f1570 6 bytes {JMP QWORD [RIP+0x953eac0]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774f15e0 6 bytes {JMP QWORD [RIP+0x8e4ea50]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774f1620 6 bytes {JMP QWORD [RIP+0x8deea10]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000774f1640 6 bytes {JMP QWORD [RIP+0x8e8e9f0]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774f16b0 6 bytes {JMP QWORD [RIP+0x8cae980]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000774f16c0 6 bytes {JMP QWORD [RIP+0x95ee970]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774f1730 6 bytes {JMP QWORD [RIP+0x8c8e900]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774f1750 6 bytes {JMP QWORD [RIP+0x8dce8e0]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774f1790 4 bytes [FF, 25, A0, E8] .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 5 00000000774f1795 1 byte [09] .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774f17e0 6 bytes {JMP QWORD [RIP+0x94de850]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000774f1800 6 bytes {JMP QWORD [RIP+0x8e2e830]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000774f19f0 6 bytes {JMP QWORD [RIP+0x8bce640]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000774f1a00 6 bytes {JMP QWORD [RIP+0x8bae630]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774f1b00 6 bytes {JMP QWORD [RIP+0x8bee530]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000774f1bd0 6 bytes {JMP QWORD [RIP+0x8d8e460]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774f1c10 6 bytes {JMP QWORD [RIP+0x8cce420]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774f1c80 6 bytes {JMP QWORD [RIP+0x8c4e3b0]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000774f1c90 6 bytes {JMP QWORD [RIP+0x8e0e3a0]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000774f1cb0 6 bytes {JMP QWORD [RIP+0x8d4e380]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774f1d10 6 bytes {JMP QWORD [RIP+0x8d0e320]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000774f1d20 6 bytes {JMP QWORD [RIP+0x960e310]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774f1d30 6 bytes {JMP QWORD [RIP+0x966e300]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000774f1d90 6 bytes {JMP QWORD [RIP+0x8dae2a0]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774f20a0 6 bytes {JMP QWORD [RIP+0x956df90]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000774f2130 6 bytes {JMP QWORD [RIP+0x962df00]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774f2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774f21a0 6 bytes {JMP QWORD [RIP+0x8eade90]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774f21d0 6 bytes {JMP QWORD [RIP+0x8cede60]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774f2240 6 bytes {JMP QWORD [RIP+0x8c6ddf0]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774f2290 6 bytes {JMP QWORD [RIP+0x8d2dda0]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000774f27a0 6 bytes {JMP QWORD [RIP+0x8d6d890]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774f29a0 6 bytes {JMP QWORD [RIP+0x958d690]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000774f29c0 6 bytes {JMP QWORD [RIP+0x8eed670]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774f2a20 6 bytes {JMP QWORD [RIP+0x94fd610]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774f2aa0 6 bytes {JMP QWORD [RIP+0x951d590]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000773862e0 6 bytes {JMP QWORD [RIP+0x8c99d50]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000077393a20 6 bytes {JMP QWORD [RIP+0x8cec610]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007739db80 6 bytes {JMP QWORD [RIP+0x94424b0]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773bf2e0 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773e9a30 7 bytes JMP 000000016fff00d8 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773f94c0 5 bytes JMP 000000016fff0180 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000773f9630 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000774016e0 6 bytes {JMP QWORD [RIP+0x8c3e950]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774187e0 7 bytes JMP 000000016fff01b8 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd482db0 5 bytes JMP 000007fffd470180 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4837d0 7 bytes JMP 000007fffd4700d8 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd488ef0 6 bytes JMP 000007fffd470148 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd489055 3 bytes CALL 9000027 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd4953c0 5 bytes JMP 0 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd49af60 5 bytes JMP 000007fffd470110 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefd7b687c 6 bytes {JMP QWORD [RIP+0x3297b4]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefd7b8e30 6 bytes JMP 0 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefd7b995c 6 bytes {JMP QWORD [RIP+0x3866d4]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefd7b99e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefd7b9ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefd7ba51c 6 bytes {JMP QWORD [RIP+0x305b14]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefd7ba530 6 bytes {JMP QWORD [RIP+0x2e5b00]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefd7ba5b0 5 bytes JMP 1000c .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefd7ba5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefd7bbb28 6 bytes {JMP QWORD [RIP+0x344508]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefd7bbb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\notepad.exe[4960] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefd7bbb40 2 bytes [36, 00] .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefefa22cc 6 bytes {JMP QWORD [RIP+0x69dd64]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefefa8398 6 bytes JMP c1dee5b0 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefefa89d8 6 bytes {JMP QWORD [RIP+0x397658]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefefa89f0 8 bytes JMP 000007fffd4701f0 .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\GDI32.dll!GetPixel 000007fefefa9344 6 bytes {JMP QWORD [RIP+0x676cec]} .text C:\Windows\system32\notepad.exe[4960] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefefabe50 8 bytes JMP 000007fffd4701b8 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007769f9e0 3 bytes JMP 71af000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007769f9e4 2 bytes JMP 71af000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007769fb28 3 bytes JMP 7133000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007769fb2c 2 bytes JMP 7133000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007769fcb0 3 bytes JMP 7160000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007769fcb4 2 bytes JMP 7160000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007769fd64 3 bytes JMP 713f000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007769fd68 2 bytes JMP 713f000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007769fdc8 3 bytes JMP 7145000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007769fdcc 2 bytes JMP 7145000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007769fec0 3 bytes JMP 713c000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007769fec4 2 bytes JMP 713c000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007769ff74 3 bytes JMP 7178000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007769ff78 2 bytes JMP 7178000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007769ffa4 3 bytes JMP 7148000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007769ffa8 2 bytes JMP 7148000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000776a0004 3 bytes JMP 716c000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000776a0008 2 bytes JMP 716c000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000776a0084 3 bytes JMP 7169000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000776a0088 2 bytes JMP 7169000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000776a00b4 3 bytes JMP 7142000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000776a00b8 2 bytes JMP 7142000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000776a03b8 3 bytes JMP 712d000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000776a03bc 2 bytes JMP 712d000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000776a03d0 3 bytes JMP 717e000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000776a03d4 2 bytes JMP 717e000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a0550 3 bytes JMP 7181000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000776a0554 2 bytes JMP 7181000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000776a0694 3 bytes JMP 715d000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000776a0698 2 bytes JMP 715d000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000776a06f4 3 bytes JMP 7175000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000776a06f8 2 bytes JMP 7175000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000776a079c 3 bytes JMP 717b000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000776a07a0 2 bytes JMP 717b000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000776a07e4 3 bytes JMP 716f000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000776a07e8 2 bytes JMP 716f000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000776a0874 3 bytes JMP 7172000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000776a0878 2 bytes JMP 7172000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000776a088c 3 bytes JMP 7139000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000776a0890 2 bytes JMP 7139000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776a08a4 3 bytes JMP 7130000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000776a08a8 2 bytes JMP 7130000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000776a0df4 3 bytes JMP 715a000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000776a0df8 2 bytes JMP 715a000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000776a0ed8 3 bytes JMP 7136000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000776a0edc 2 bytes JMP 7136000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000776a1be4 3 bytes JMP 714b000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000776a1be8 2 bytes JMP 714b000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000776a1cb4 3 bytes JMP 7166000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000776a1cb8 2 bytes JMP 7166000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000776a1d8c 3 bytes JMP 7163000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000776a1d90 2 bytes JMP 7163000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000776c1287 6 bytes JMP 71a8000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076ee1409 7 bytes JMP 0000000172161fa0 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ee3bbb 3 bytes JMP 719c000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ee3bbf 2 bytes JMP 719c000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076efb21b 5 bytes JMP 0000000172161eb0 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076f78e24 7 bytes JMP 0000000172161ea0 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076f78ea9 5 bytes JMP 0000000172161f90 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076f791ff 5 bytes JMP 0000000172161f20 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007663f784 6 bytes JMP 719f000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076641d29 5 bytes JMP 0000000172162730 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076641dd7 5 bytes JMP 0000000172162790 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076642ab1 5 bytes JMP 0000000172162800 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076642c9e 4 bytes CALL 71ac0000 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076642d17 5 bytes JMP 0000000172162980 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753cee09 6 bytes JMP 7184000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753d7603 6 bytes JMP 7187000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753d835c 6 bytes JMP 718a000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758e58b3 6 bytes JMP 7190000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000758e7bcc 6 bytes JMP 7199000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000758ecbfb 6 bytes JMP 7193000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000758ee743 6 bytes JMP 7196000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000758fe96b 5 bytes JMP 0000000172161a20 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000758feba5 5 bytes JMP 0000000172161ab0 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000750b124e 6 bytes JMP 718d000a .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755e1401 2 bytes JMP 76efb21b C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755e1419 2 bytes JMP 76efb346 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755e1431 2 bytes JMP 76f78ea9 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755e144a 2 bytes CALL 76ed48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755e14dd 2 bytes JMP 76f787a2 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755e14f5 2 bytes JMP 76f78978 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755e150d 2 bytes JMP 76f78698 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755e1525 2 bytes JMP 76f78a62 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755e153d 2 bytes JMP 76eefca8 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755e1555 2 bytes JMP 76ef68ef C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755e156d 2 bytes JMP 76f78f61 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755e1585 2 bytes JMP 76f78ac2 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755e159d 2 bytes JMP 76f7865c C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755e15b5 2 bytes JMP 76eefd41 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755e15cd 2 bytes JMP 76efb2dc C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755e16b2 2 bytes JMP 76f78e24 C:\Windows\syswow64\kernel32.dll .text D:\Pobrane\95gbcexd.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755e16bd 2 bytes JMP 76f785f1 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{1CA0EDB3-D23D-45EB-A9A6-58ADD350B8F5}\Connection@Name isatap.{03CFECCD-5D16-41A1-AB45-1E11A1779E38} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{BACE7272-6A26-4B11-9BB1-70AE067651FE}?\Device\{A75158A0-52AD-4843-BF90-AD98FC54D2AD}?\Device\{1CA0EDB3-D23D-45EB-A9A6-58ADD350B8F5}?\Device\{3476A817-3C9C-41A5-8C61-8C089AC8062B}?\Device\{16670515-06C1-4744-8BE6-1E5E0370437B}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{BACE7272-6A26-4B11-9BB1-70AE067651FE}"?"{A75158A0-52AD-4843-BF90-AD98FC54D2AD}"?"{1CA0EDB3-D23D-45EB-A9A6-58ADD350B8F5}"?"{3476A817-3C9C-41A5-8C61-8C089AC8062B}"?"{16670515-06C1-4744-8BE6-1E5E0370437B}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{BACE7272-6A26-4B11-9BB1-70AE067651FE}?\Device\TCPIP6TUNNEL_{A75158A0-52AD-4843-BF90-AD98FC54D2AD}?\Device\TCPIP6TUNNEL_{1CA0EDB3-D23D-45EB-A9A6-58ADD350B8F5}?\Device\TCPIP6TUNNEL_{3476A817-3C9C-41A5-8C61-8C089AC8062B}?\Device\TCPIP6TUNNEL_{16670515-06C1-4744-8BE6-1E5E0370437B}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9cb70dcf9e42 Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{1CA0EDB3-D23D-45EB-A9A6-58ADD350B8F5}@InterfaceName isatap.{03CFECCD-5D16-41A1-AB45-1E11A1779E38} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{1CA0EDB3-D23D-45EB-A9A6-58ADD350B8F5}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 14509 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 3594 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9cb70dcf9e42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroExt.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerPlugin_16_0_0_235.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_145_pepper.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_179_pepper.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_15_0_0_152_pepper.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_16_0_0_235_Plugin.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_14_0_0_145_pepper.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_14_0_0_179_pepper.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_15_0_0_152_pepper.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_16_0_0_235_Plugin.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe Reg HKLM\SYSTEM\VritualRoot\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe ---- EOF - GMER 2.1 ----