GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-21 20:44:16 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 KINGSTON rev.541A 111,79GB Running: e7tbxpm6.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\awrdrpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b01360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b01560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b01360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b01560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Windows\system32\services.exe[628] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\services.exe[628] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdd13e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd6750a0 6 bytes JMP 9b3 .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000779b6ef0 6 bytes {JMP QWORD [RIP+0x89e9140]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000779b8184 6 bytes {JMP QWORD [RIP+0x8ac7eac]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SetParent 00000000779b8530 6 bytes {JMP QWORD [RIP+0x8a07b00]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000779b9bcc 6 bytes {JMP QWORD [RIP+0x8766464]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!PostMessageA 00000000779ba404 6 bytes {JMP QWORD [RIP+0x87a5c2c]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!EnableWindow 00000000779baaa0 6 bytes {JMP QWORD [RIP+0x8b05590]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!MoveWindow 00000000779baad0 6 bytes {JMP QWORD [RIP+0x8a25560]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000779bc720 6 bytes {JMP QWORD [RIP+0x89c3910]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000779bcd50 6 bytes {JMP QWORD [RIP+0x8aa32e0]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000779bd2b0 6 bytes {JMP QWORD [RIP+0x87e2d80]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SendMessageA 00000000779bd338 6 bytes {JMP QWORD [RIP+0x8822cf8]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000779bdc40 6 bytes {JMP QWORD [RIP+0x89023f0]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000779bf510 6 bytes {JMP QWORD [RIP+0x8ae0b20]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000779bf874 6 bytes {JMP QWORD [RIP+0x87207bc]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000779bfac0 6 bytes {JMP QWORD [RIP+0x8880570]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000779c0b74 6 bytes {JMP QWORD [RIP+0x87ff4bc]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000779c33b0 6 bytes {JMP QWORD [RIP+0x877cc80]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000779c4d4d 5 bytes {JMP QWORD [RIP+0x873b2e4]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!GetKeyState 00000000779c5010 6 bytes {JMP QWORD [RIP+0x899b020]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000779c5438 6 bytes {JMP QWORD [RIP+0x88babf8]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SendMessageW 00000000779c6b50 6 bytes {JMP QWORD [RIP+0x88394e0]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!PostMessageW 00000000779c76e4 6 bytes {JMP QWORD [RIP+0x87b894c]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000779cdd90 6 bytes {JMP QWORD [RIP+0x89322a0]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!GetClipboardData 00000000779ce874 6 bytes {JMP QWORD [RIP+0x8a717bc]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000779cf780 6 bytes {JMP QWORD [RIP+0x8a308b0]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000779d28e4 6 bytes {JMP QWORD [RIP+0x88cd74c]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!mouse_event 00000000779d3894 6 bytes {JMP QWORD [RIP+0x86cc79c]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000779d8a10 6 bytes {JMP QWORD [RIP+0x8967620]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000779d8be0 6 bytes {JMP QWORD [RIP+0x8847450]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000779d8c20 6 bytes {JMP QWORD [RIP+0x86e7410]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SendInput 00000000779d8cd0 6 bytes {JMP QWORD [RIP+0x8947360]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!BlockInput 00000000779dad60 6 bytes {JMP QWORD [RIP+0x8a452d0]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000077a014e0 6 bytes {JMP QWORD [RIP+0x8adeb50]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!keybd_event 0000000077a245a4 6 bytes {JMP QWORD [RIP+0x865ba8c]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000077a2cc08 6 bytes {JMP QWORD [RIP+0x88b3428]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000077a2df18 4 bytes [FF, 25, 18, 21] .text C:\Windows\system32\services.exe[628] C:\Windows\system32\USER32.dll!SendMessageCallbackA + 5 0000000077a2df1d 1 byte [08] .text C:\Windows\system32\services.exe[628] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\services.exe[628] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes JMP 40003e .text C:\Windows\system32\services.exe[628] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes JMP 0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes JMP 1000c .text C:\Windows\system32\lsass.exe[644] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\lsass.exe[644] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000db50a0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\lsm.exe[652] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011450a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdd13e80 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 20 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes JMP 6f2d .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 478 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes JMP 51716c11 .text C:\Windows\system32\svchost.exe[800] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000012d50a0 6 bytes JMP 30 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdd13e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes JMP fddbdd48 .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011550a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text E:\COMODO\COMODO Internet Security\cmdagent.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b01430 8 bytes JMP 000000016fff00d8 .text E:\COMODO\COMODO Internet Security\cmdagent.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000011650a0 6 bytes JMP 0 .text C:\Windows\system32\atiesrxx.exe[376] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\atiesrxx.exe[376] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\atiesrxx.exe[376] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\atiesrxx.exe[376] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\system32\atiesrxx.exe[376] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes JMP 0 .text C:\Windows\system32\atiesrxx.exe[376] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\atiesrxx.exe[376] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\system32\atiesrxx.exe[376] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 452f .text C:\Windows\system32\atiesrxx.exe[376] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\atiesrxx.exe[376] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\atiesrxx.exe[376] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\System32\svchost.exe[620] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000011850a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[896] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[896] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes JMP 485e7deb .text C:\Windows\System32\svchost.exe[896] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\System32\svchost.exe[896] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes JMP 65 .text C:\Windows\System32\svchost.exe[896] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\System32\SspiCli.dll!EncryptMessage 00000000012a50a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012b50a0 6 bytes {JMP QWORD [RIP+0x20af90]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdd13e80 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012850a0 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1132] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Program Files\IDT\WDM\STacSV64.exe[1132] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1132] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1132] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x26db70]} .text C:\Program Files\IDT\WDM\STacSV64.exe[1132] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1132] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1132] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1132] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes JMP 200073 .text C:\Program Files\IDT\WDM\STacSV64.exe[1132] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1132] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1132] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000012150a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\Hpservice.exe[1328] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\Hpservice.exe[1328] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Windows\system32\Hpservice.exe[1328] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Hpservice.exe[1328] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\system32\Hpservice.exe[1328] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\Hpservice.exe[1328] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes JMP 0 .text C:\Windows\system32\Hpservice.exe[1328] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes JMP 0 .text C:\Windows\system32\Hpservice.exe[1328] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 0 .text C:\Windows\system32\Hpservice.exe[1328] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\Hpservice.exe[1328] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes JMP 0 .text C:\Windows\system32\Hpservice.exe[1328] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 452f .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\atieclxx.exe[1388] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000033550a0 6 bytes {JMP QWORD [RIP+0x4daf90]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 650072 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes JMP 1c1f8917 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000025a50a0 6 bytes {JMP QWORD [RIP+0xbaf90]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdd13e80 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes JMP 6e0020 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000011550a0 6 bytes JMP 3 .text C:\Program Files\IDT\WDM\AESTSr64.exe[1848] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[1848] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1848] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\IDT\WDM\AESTSr64.exe[1848] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[1848] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[1848] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[1848] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[1848] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 452f .text C:\Program Files\IDT\WDM\AESTSr64.exe[1848] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[1848] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Program Files\IDT\WDM\AESTSr64.exe[1848] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 710f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 710f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c33bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c33bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075baf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bb2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000756a8332 6 bytes JMP 716c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000756a8bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000756a90d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000756a9679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000756a97d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756aee09 6 bytes JMP 7172000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000756aefc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000756aefcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756b12a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000756b291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetParent 00000000756b2d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000756b2d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000756b2da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000756b3698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000756b369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756b3baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000756b3c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000756b6110 6 bytes JMP 716f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000756b612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000756b6c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756b7603 6 bytes JMP 7175000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000756b7668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000756b76e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000756b781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756b835c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000756bc4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000756bc4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000756cc112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000756cd0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756ceb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000756cec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000756cec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendInput 00000000756cff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000756cff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000756e9f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000756f1497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!mouse_event 000000007570027b 6 bytes JMP 717b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757002bf 6 bytes JMP 717e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075706cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075706d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075707dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075707ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757088eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757088ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770f58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770f5ea6 6 bytes JMP 718a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770f7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770fb895 6 bytes JMP 7181000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770fc332 6 bytes JMP 7187000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770fcbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770fe743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077124857 6 bytes JMP 7184000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c61465 2 bytes [C6, 77] .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c614bb 2 bytes [C6, 77] .text ... * 2 .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 710f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 710f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c33bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c33bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075baf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bb2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770f58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770f5ea6 6 bytes JMP 718a000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770f7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770fb895 6 bytes JMP 7181000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770fc332 6 bytes JMP 7187000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770fcbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770fe743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077124857 6 bytes JMP 7184000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000756a8332 6 bytes JMP 716c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000756a8bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000756a90d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000756a9679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000756a97d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756aee09 6 bytes JMP 7172000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000756aefc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000756aefcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756b12a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000756b291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SetParent 00000000756b2d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000756b2d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000756b2da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000756b3698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000756b369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756b3baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000756b3c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000756b6110 6 bytes JMP 716f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000756b612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000756b6c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756b7603 6 bytes JMP 7175000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000756b7668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000756b76e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000756b781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756b835c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000756bc4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000756bc4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000756cc112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000756cd0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756ceb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000756cec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000756cec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SendInput 00000000756cff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000756cff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000756e9f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000756f1497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!mouse_event 000000007570027b 6 bytes JMP 717b000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757002bf 6 bytes JMP 717e000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075706cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075706d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075707dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075707ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757088eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757088ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c61465 2 bytes [C6, 77] .text C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe[1928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c614bb 2 bytes [C6, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076c33bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076c33bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075baf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bb2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000756a8332 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000756a8bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000756a90d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000756a9679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000756a97d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756aee09 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000756aefc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000756aefcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756b12a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000756b291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SetParent 00000000756b2d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000756b2d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000756b2da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000756b3698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000756b369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756b3baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000756b3c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000756b6110 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000756b612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000756b6c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756b7603 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000756b7668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000756b76e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000756b781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756b835c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000756bc4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000756bc4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000756cc112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000756cd0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756ceb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000756cec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000756cec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SendInput 00000000756cff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000756cff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000756e9f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000756f1497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!mouse_event 000000007570027b 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757002bf 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075706cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075706d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075707dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075707ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757088eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757088ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770f58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770f5ea6 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770f7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770fb895 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770fc332 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770fcbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770fe743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077124857 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c61465 2 bytes [C6, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c614bb 2 bytes [C6, 77] .text ... * 2 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1588] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\wbem\unsecapp.exe[2204] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\wbem\wmiprvse.exe[2380] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[2380] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Windows\system32\wbem\wmiprvse.exe[2380] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[2380] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\system32\wbem\wmiprvse.exe[2380] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\wbem\wmiprvse.exe[2380] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\wbem\wmiprvse.exe[2380] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[2380] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\system32\wbem\wmiprvse.exe[2380] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\wbem\wmiprvse.exe[2380] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\wbem\wmiprvse.exe[2380] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2500] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\svchost.exe[2500] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[2500] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[2500] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2500] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\svchost.exe[2500] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\svchost.exe[2500] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\system32\svchost.exe[2500] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\system32\svchost.exe[2500] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\svchost.exe[2500] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\svchost.exe[2500] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\svchost.exe[2500] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000013c50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 710f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 710f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 7112000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 710c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 7103000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c33bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c33bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075baf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bb2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770f58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770f5ea6 6 bytes JMP 718a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770f7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770fb895 6 bytes JMP 7181000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770fc332 6 bytes JMP 7187000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770fcbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770fe743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077124857 6 bytes JMP 7184000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000756a8332 6 bytes JMP 716c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000756a8bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000756a90d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000756a9679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000756a97d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756aee09 6 bytes JMP 7172000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000756aefc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000756aefcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756b12a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000756b291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SetParent 00000000756b2d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000756b2d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000756b2da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000756b3698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000756b369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756b3baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000756b3c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000756b6110 6 bytes JMP 716f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000756b612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000756b6c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756b7603 6 bytes JMP 7175000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000756b7668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000756b76e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000756b781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756b835c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000756bc4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000756bc4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000756cc112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000756cd0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756ceb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000756cec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000756cec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SendInput 00000000756cff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000756cff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000756e9f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000756f1497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!mouse_event 000000007570027b 6 bytes JMP 717b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757002bf 6 bytes JMP 717e000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075706cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075706d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075707dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075707ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757088eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757088ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c61465 2 bytes [C6, 77] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[2708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c614bb 2 bytes [C6, 77] .text ... * 2 .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 79000026 .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes JMP 4f0052 .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\taskhost.exe[3236] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000025d50a0 6 bytes {JMP QWORD [RIP+0x13af90]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\taskeng.exe[3272] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000025150a0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes JMP 1000c .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\Dwm.exe[3308] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 6c0072 .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes JMP 9000003c .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes JMP 650075 .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes JMP fdcc1a80 .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000779b6ef0 6 bytes {JMP QWORD [RIP+0x89e9140]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000779b8184 6 bytes {JMP QWORD [RIP+0x8ac7eac]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SetParent 00000000779b8530 6 bytes {JMP QWORD [RIP+0x8a07b00]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000779b9bcc 6 bytes {JMP QWORD [RIP+0x8766464]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!PostMessageA 00000000779ba404 6 bytes {JMP QWORD [RIP+0x87a5c2c]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!EnableWindow 00000000779baaa0 6 bytes {JMP QWORD [RIP+0x8b05590]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!MoveWindow 00000000779baad0 6 bytes {JMP QWORD [RIP+0x8a25560]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000779bc720 6 bytes {JMP QWORD [RIP+0x89c3910]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000779bcd50 6 bytes {JMP QWORD [RIP+0x8aa32e0]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000779bd2b0 6 bytes {JMP QWORD [RIP+0x87e2d80]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SendMessageA 00000000779bd338 6 bytes {JMP QWORD [RIP+0x8822cf8]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000779bdc40 6 bytes {JMP QWORD [RIP+0x89023f0]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000779bf510 6 bytes {JMP QWORD [RIP+0x8ae0b20]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000779bf874 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000779bfac0 6 bytes {JMP QWORD [RIP+0x8880570]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000779c0b74 6 bytes {JMP QWORD [RIP+0x87ff4bc]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000779c33b0 6 bytes {JMP QWORD [RIP+0x877cc80]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000779c4d4d 5 bytes {JMP QWORD [RIP+0x873b2e4]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!GetKeyState 00000000779c5010 6 bytes {JMP QWORD [RIP+0x899b020]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000779c5438 6 bytes {JMP QWORD [RIP+0x88babf8]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SendMessageW 00000000779c6b50 6 bytes {JMP QWORD [RIP+0x88394e0]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!PostMessageW 00000000779c76e4 6 bytes {JMP QWORD [RIP+0x87b894c]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000779cdd90 6 bytes {JMP QWORD [RIP+0x89322a0]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!GetClipboardData 00000000779ce874 6 bytes {JMP QWORD [RIP+0x8a717bc]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000779cf780 6 bytes {JMP QWORD [RIP+0x8a308b0]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000779d28e4 6 bytes {JMP QWORD [RIP+0x88cd74c]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!mouse_event 00000000779d3894 6 bytes {JMP QWORD [RIP+0x86cc79c]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000779d8a10 6 bytes {JMP QWORD [RIP+0x8967620]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000779d8be0 6 bytes {JMP QWORD [RIP+0x8847450]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000779d8c20 6 bytes {JMP QWORD [RIP+0x86e7410]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SendInput 00000000779d8cd0 6 bytes {JMP QWORD [RIP+0x8947360]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!BlockInput 00000000779dad60 6 bytes {JMP QWORD [RIP+0x8a452d0]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000077a014e0 6 bytes {JMP QWORD [RIP+0x8adeb50]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!keybd_event 0000000077a245a4 6 bytes {JMP QWORD [RIP+0x865ba8c]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000077a2cc08 6 bytes {JMP QWORD [RIP+0x88b3428]} .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000077a2df18 4 bytes [FF, 25, 18, 21] .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\USER32.dll!SendMessageCallbackA + 5 0000000077a2df1d 1 byte [08] .text C:\Windows\Explorer.EXE[3416] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes JMP 0 .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x28a440]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes JMP 0 .text C:\Program Files\IDT\WDM\sttray64.exe[3584] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x2a3750]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes JMP 0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes JMP 0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 452f .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x374638]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x353750]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3600] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000003ef50a0 6 bytes {JMP QWORD [RIP+0x8af90]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 43] .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes JMP 26dd08 .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes JMP 0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes JMP aba7 .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x2c4638]} .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes JMP 0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3632] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000002ba50a0 6 bytes JMP 9b3 .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70d0000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70d0000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes JMP 70f1000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes JMP 70f1000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70dc000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70dc000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70e2000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70e2000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes JMP 70d9000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes JMP 70d9000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 7109000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 7109000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70e5000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70e5000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes JMP 70fd000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes JMP 70fd000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70fa000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70fa000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70df000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70df000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70ca000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70ca000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 710f000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 710f000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 7112000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 7112000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes JMP 70ee000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes JMP 70ee000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes JMP 7106000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes JMP 7106000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 710c000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 710c000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes JMP 7100000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes JMP 7100000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 7103000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 7103000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes JMP 70d6000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes JMP 70d6000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70cd000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70cd000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes JMP 70eb000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes JMP 70eb000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes JMP 70d3000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes JMP 70d3000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes JMP 70e8000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes JMP 70e8000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes JMP 70f7000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes JMP 70f7000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes JMP 70f4000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes JMP 70f4000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c33bbb 3 bytes JMP 719c000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c33bbf 2 bytes JMP 719c000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075baf784 6 bytes JMP 719f000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bb2c9e 4 bytes CALL 71ac0000 .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000756a8332 6 bytes JMP 716c000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000756a8bff 6 bytes JMP 7160000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000756a90d3 6 bytes JMP 711b000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000756a9679 6 bytes JMP 715a000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000756a97d2 6 bytes JMP 7154000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756aee09 6 bytes JMP 7172000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000756aefc9 3 bytes JMP 7121000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000756aefcd 2 bytes JMP 7121000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756b12a5 6 bytes JMP 7166000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000756b291f 6 bytes JMP 7139000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SetParent 00000000756b2d64 3 bytes JMP 7130000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000756b2d68 2 bytes JMP 7130000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000756b2da4 6 bytes JMP 7118000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000756b3698 3 bytes JMP 712d000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000756b369c 2 bytes JMP 712d000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756b3baa 6 bytes JMP 7169000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000756b3c61 6 bytes JMP 7163000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000756b6110 6 bytes JMP 716f000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000756b612e 6 bytes JMP 715d000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000756b6c30 6 bytes JMP 711e000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756b7603 6 bytes JMP 7175000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000756b7668 6 bytes JMP 7148000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000756b76e0 6 bytes JMP 714e000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000756b781f 6 bytes JMP 7157000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756b835c 6 bytes JMP 7178000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000756bc4b6 3 bytes JMP 712a000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000756bc4ba 2 bytes JMP 712a000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000756cc112 6 bytes JMP 7145000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000756cd0f5 6 bytes JMP 7142000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756ceb96 6 bytes JMP 7136000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000756cec68 3 bytes JMP 713c000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000756cec6c 2 bytes JMP 713c000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SendInput 00000000756cff4a 3 bytes JMP 713f000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000756cff4e 2 bytes JMP 713f000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000756e9f1d 6 bytes JMP 7124000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000756f1497 6 bytes JMP 7115000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!mouse_event 000000007570027b 6 bytes JMP 717b000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757002bf 6 bytes JMP 717e000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075706cfc 6 bytes JMP 7151000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075706d5d 6 bytes JMP 714b000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075707dd7 3 bytes JMP 7127000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075707ddb 2 bytes JMP 7127000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757088eb 3 bytes JMP 7133000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757088ef 2 bytes JMP 7133000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770f58b3 6 bytes JMP 7190000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770f5ea6 6 bytes JMP 718a000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770f7bcc 6 bytes JMP 7199000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770fb895 6 bytes JMP 7181000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770fc332 6 bytes JMP 7187000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770fcbfb 6 bytes JMP 7193000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770fe743 6 bytes JMP 7196000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077124857 6 bytes JMP 7184000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 718d000a .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c61465 2 bytes [C6, 77] .text E:\PowerMenu\PowerMenu.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c614bb 2 bytes [C6, 77] .text ... * 2 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes JMP 0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes JMP 0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 452f .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes JMP 3459e08a .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes JMP 65732073 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3812] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4088] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4088] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4088] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4088] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4088] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4088] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes JMP 452f .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4088] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4088] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes JMP 0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4088] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes JMP 0 .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes JMP 0 .text C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe[3168] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes JMP 0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076c33bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076c33bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075baf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bb2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000756a8332 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000756a8bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000756a90d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000756a9679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000756a97d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756aee09 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000756aefc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000756aefcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756b12a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000756b291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SetParent 00000000756b2d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000756b2d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000756b2da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000756b3698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000756b369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756b3baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000756b3c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000756b6110 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000756b612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000756b6c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756b7603 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000756b7668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000756b76e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000756b781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756b835c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000756bc4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000756bc4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000756cc112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000756cd0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756ceb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000756cec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000756cec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SendInput 00000000756cff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000756cff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000756e9f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000756f1497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!mouse_event 000000007570027b 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757002bf 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075706cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075706d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075707dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075707ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757088eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757088ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770f58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770f5ea6 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770f7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770fb895 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770fc332 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770fcbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770fe743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077124857 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c61465 2 bytes [C6, 77] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c614bb 2 bytes [C6, 77] .text ... * 2 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 710f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 710f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 7112000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 7112000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 710c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 710c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 7103000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 7103000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c33bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c33bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075baf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bb2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770f58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770f5ea6 6 bytes JMP 718a000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770f7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770fb895 6 bytes JMP 7181000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770fc332 6 bytes JMP 7187000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770fcbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770fe743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077124857 6 bytes JMP 7184000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000756a8332 6 bytes JMP 716c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000756a8bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000756a90d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000756a9679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000756a97d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756aee09 6 bytes JMP 7172000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000756aefc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000756aefcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756b12a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000756b291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SetParent 00000000756b2d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000756b2d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000756b2da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000756b3698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000756b369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756b3baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000756b3c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000756b6110 6 bytes JMP 716f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000756b612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000756b6c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756b7603 6 bytes JMP 7175000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000756b7668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000756b76e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000756b781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756b835c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000756bc4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000756bc4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000756cc112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000756cd0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756ceb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000756cec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000756cec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SendInput 00000000756cff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000756cff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000756e9f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000756f1497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!mouse_event 000000007570027b 6 bytes JMP 717b000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757002bf 6 bytes JMP 717e000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075706cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075706d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075707dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075707ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757088eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757088ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c61465 2 bytes [C6, 77] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c614bb 2 bytes [C6, 77] .text ... * 2 .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70ca000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70ca000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes JMP 70eb000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes JMP 70eb000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70d6000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70d6000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70dc000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70dc000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes JMP 70d3000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes JMP 70d3000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 7103000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 7103000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70df000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70df000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes JMP 70f7000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes JMP 70f7000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70f4000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70f4000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70d9000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70d9000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70c4000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70c4000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 7109000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 7109000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 710c000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 710c000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes JMP 70e8000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes JMP 70e8000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes JMP 7100000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes JMP 7100000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 7106000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 7106000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes JMP 70fa000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes JMP 70fa000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 70fd000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 70fd000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes JMP 70d0000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes JMP 70d0000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70c7000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70c7000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes JMP 70e5000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes JMP 70e5000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes JMP 70cd000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes JMP 70cd000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes JMP 70e2000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes JMP 70e2000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes JMP 70f1000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes JMP 70f1000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes JMP 70ee000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes JMP 70ee000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c33bbb 3 bytes JMP 719c000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c33bbf 2 bytes JMP 719c000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075baf784 6 bytes JMP 719f000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bb2c9e 4 bytes CALL 71ac0000 .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000756a8332 6 bytes JMP 7166000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000756a8bff 6 bytes JMP 715a000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000756a90d3 6 bytes JMP 7115000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000756a9679 6 bytes JMP 7154000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000756a97d2 6 bytes JMP 714e000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756aee09 6 bytes JMP 716c000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000756aefc9 3 bytes JMP 711b000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000756aefcd 2 bytes JMP 711b000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756b12a5 6 bytes JMP 7160000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000756b291f 6 bytes JMP 7133000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SetParent 00000000756b2d64 3 bytes JMP 712a000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000756b2d68 2 bytes JMP 712a000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000756b2da4 6 bytes JMP 7112000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000756b3698 3 bytes JMP 7127000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000756b369c 2 bytes JMP 7127000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756b3baa 6 bytes JMP 7163000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000756b3c61 6 bytes JMP 715d000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000756b6110 6 bytes JMP 7169000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000756b612e 6 bytes JMP 7157000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000756b6c30 6 bytes JMP 7118000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756b7603 6 bytes JMP 716f000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000756b7668 6 bytes JMP 7142000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000756b76e0 6 bytes JMP 7148000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000756b781f 6 bytes JMP 7151000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756b835c 6 bytes JMP 7172000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000756bc4b6 3 bytes JMP 7124000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000756bc4ba 2 bytes JMP 7124000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000756cc112 6 bytes JMP 713f000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000756cd0f5 6 bytes JMP 713c000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756ceb96 6 bytes JMP 7130000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000756cec68 3 bytes JMP 7136000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000756cec6c 2 bytes JMP 7136000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SendInput 00000000756cff4a 3 bytes JMP 7139000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000756cff4e 2 bytes JMP 7139000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000756e9f1d 6 bytes JMP 711e000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000756f1497 6 bytes JMP 710f000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!mouse_event 000000007570027b 6 bytes JMP 7175000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757002bf 6 bytes JMP 7178000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075706cfc 6 bytes JMP 714b000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075706d5d 6 bytes JMP 7145000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075707dd7 3 bytes JMP 7121000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075707ddb 2 bytes JMP 7121000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757088eb 3 bytes JMP 712d000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757088ef 2 bytes JMP 712d000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770f58b3 6 bytes JMP 718a000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770f5ea6 6 bytes JMP 7184000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770f7bcc 6 bytes JMP 7199000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770fb895 6 bytes JMP 717b000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770fc332 6 bytes JMP 7181000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770fcbfb 6 bytes JMP 7193000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770fe743 6 bytes JMP 7196000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077124857 6 bytes JMP 717e000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 7187000a .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c61465 2 bytes [C6, 77] .text E:\EaseUS Partition Master 10.1\bin\EpmNews.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c614bb 2 bytes [C6, 77] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 61437869 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes JMP 6f2d .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x2c4638]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x2a3750]} .text C:\Windows\system32\SearchIndexer.exe[3980] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012e50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[5396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c33bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c33bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075baf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bb2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770f58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770f5ea6 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770f7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770fb895 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770fc332 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770fcbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770fe743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077124857 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000756a8332 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000756a8bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000756a90d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000756a9679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000756a97d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756aee09 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000756aefc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000756aefcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756b12a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000756b291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SetParent 00000000756b2d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000756b2d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000756b2da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000756b3698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000756b369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756b3baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000756b3c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000756b6110 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000756b612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000756b6c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756b7603 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000756b7668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000756b76e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000756b781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756b835c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000756bc4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000756bc4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000756cc112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000756cd0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756ceb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000756cec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000756cec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SendInput 00000000756cff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000756cff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000756e9f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000756f1497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!mouse_event 000000007570027b 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757002bf 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075706cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075706d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075707dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075707ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757088eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757088ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c61465 2 bytes [C6, 77] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c614bb 2 bytes [C6, 77] .text ... * 2 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5484] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70cf000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70cf000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes JMP 70f0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes JMP 70f0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70db000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70db000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 7108000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 7108000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70e4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70e4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70de000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70de000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70c9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70c9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 710e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 710e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 7111000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 7111000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes JMP 70ed000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes JMP 70ed000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes JMP 7105000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes JMP 7105000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 710b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 710b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes JMP 70ff000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes JMP 70ff000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 7102000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 7102000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70cc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70cc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes JMP 70ea000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes JMP 00000000cc58d76d .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes JMP 70e7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes JMP 70e7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes JMP 70f6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes JMP 70f6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes JMP 70f3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes JMP 70f3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c33bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c33bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075baf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bb2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000756a8332 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000756a8bff 6 bytes JMP 715f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000756a90d3 6 bytes JMP 711a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000756a9679 6 bytes JMP 7159000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000756a97d2 6 bytes JMP 7153000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756aee09 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000756aefc9 3 bytes JMP 7120000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000756aefcd 2 bytes JMP 7120000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756b12a5 6 bytes JMP 7165000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000756b291f 6 bytes JMP 7138000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SetParent 00000000756b2d64 3 bytes JMP 712f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000756b2d68 2 bytes JMP 712f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000756b2da4 6 bytes JMP 7117000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000756b3698 3 bytes JMP 712c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000756b369c 2 bytes JMP 712c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756b3baa 6 bytes JMP 7168000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000756b3c61 6 bytes JMP 7162000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000756b6110 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000756b612e 6 bytes JMP 715c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000756b6c30 6 bytes JMP 711d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756b7603 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000756b7668 6 bytes JMP 7147000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000756b76e0 6 bytes JMP 714d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000756b781f 6 bytes JMP 7156000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756b835c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000756bc4b6 3 bytes JMP 7129000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000756bc4ba 2 bytes JMP 7129000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000756cc112 6 bytes JMP 7144000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000756cd0f5 6 bytes JMP 7141000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756ceb96 6 bytes JMP 7135000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000756cec68 3 bytes JMP 713b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000756cec6c 2 bytes JMP 713b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SendInput 00000000756cff4a 3 bytes JMP 713e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000756cff4e 2 bytes JMP 713e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000756e9f1d 6 bytes JMP 7123000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000756f1497 6 bytes JMP 7114000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!mouse_event 000000007570027b 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757002bf 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075706cfc 6 bytes JMP 7150000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075706d5d 6 bytes JMP 714a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075707dd7 3 bytes JMP 7126000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075707ddb 2 bytes JMP 7126000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757088eb 3 bytes JMP 7132000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757088ef 2 bytes JMP 7132000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770f58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770f5ea6 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770f7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770fb895 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770fc332 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770fcbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770fe743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077124857 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c61465 2 bytes [C6, 77] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c614bb 2 bytes [C6, 77] .text ... * 2 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes JMP 4d68636d .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5804] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076c33bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076c33bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075baf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bb2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000756a8332 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000756a8bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000756a90d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000756a9679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000756a97d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756aee09 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000756aefc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000756aefcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756b12a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000756b291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SetParent 00000000756b2d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000756b2d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000756b2da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000756b3698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000756b369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756b3baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000756b3c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000756b6110 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000756b612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000756b6c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756b7603 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000756b7668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000756b76e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000756b781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756b835c 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000756bc4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000756bc4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000756cc112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000756cd0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756ceb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000756cec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000756cec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SendInput 00000000756cff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000756cff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000756e9f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000756f1497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!mouse_event 000000007570027b 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757002bf 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075706cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075706d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075707dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075707ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757088eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757088ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770f58b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770f5ea6 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770f7bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770fb895 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770fc332 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770fcbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770fe743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077124857 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c61465 2 bytes [C6, 77] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c614bb 2 bytes [C6, 77] .text ... * 2 .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes JMP 10730 .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[5720] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[5720] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[5720] C:\Windows\system32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes JMP d845f5fd .text C:\Windows\System32\svchost.exe[5720] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\system32\GDI32.dll!GetPixel 000007feffab9344 6 bytes JMP a0323229 .text C:\Windows\System32\svchost.exe[5720] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\System32\svchost.exe[5720] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes {JMP QWORD [RIP+0x223750]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8cbebc0]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8b5eac0]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8c3ea50]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8bfea10]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8c5e970]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8a5e900]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8bde8e0]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8ade8a0]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8afe850]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8c1e830]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8cfe640]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8a1e630]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x89fe530]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8b7e460]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8a7e420]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8a3e3b0]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8abe380]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8a9e320]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8c7e310]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8cde300]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8b9df90]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8c9df00]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8bbd690]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8b1d610]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8b3d590]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdb59055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb653c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\System32\GDI32.dll!DeleteDC 000007feffab22cc 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\System32\GDI32.dll!BitBlt 000007feffab24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\System32\GDI32.dll!MaskBlt 000007feffab5bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\System32\GDI32.dll!CreateDCW 000007feffab8398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\System32\GDI32.dll!CreateDCA 000007feffab89d8 6 bytes {JMP QWORD [RIP+0x167658]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\System32\GDI32.dll!GetPixel 000007feffab9344 6 bytes {JMP QWORD [RIP+0x1a6cec]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\System32\GDI32.dll!StretchBlt 000007feffabb9f8 6 bytes {JMP QWORD [RIP+0x244638]} .text C:\Windows\system32\AUDIODG.EXE[1680] C:\Windows\System32\GDI32.dll!PlgBlt 000007feffabc8e0 6 bytes JMP 0 .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70d0000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70d0000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes JMP 70f1000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes JMP 70f1000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70dc000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70dc000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70e2000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70e2000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes JMP 70d9000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes JMP 70d9000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 7109000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 7109000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70e5000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70e5000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes JMP 70fd000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes JMP 70fd000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70fa000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70fa000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70df000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70df000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70ca000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70ca000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 710f000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 710f000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 7112000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 7112000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes JMP 70ee000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes JMP 70ee000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes JMP 7106000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes JMP 7106000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 710c000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 710c000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes JMP 7100000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes JMP 7100000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 7103000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 7103000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes JMP 70d6000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes JMP 70d6000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70cd000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70cd000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes JMP 70eb000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes JMP 70eb000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes JMP 70d3000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes JMP 70d3000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes JMP 70e8000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes JMP 70e8000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes JMP 70f7000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes JMP 70f7000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes JMP 70f4000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes JMP 70f4000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076c33bbb 3 bytes JMP 719c000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076c33bbf 2 bytes JMP 719c000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075baf784 6 bytes JMP 719f000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075bb2c9e 4 bytes CALL 71ac0000 .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000756a8332 6 bytes JMP 716c000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000756a8bff 6 bytes JMP 7160000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000756a90d3 6 bytes JMP 711b000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000756a9679 6 bytes JMP 715a000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000756a97d2 6 bytes JMP 7154000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000756aee09 6 bytes JMP 7172000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000756aefc9 3 bytes JMP 7121000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000756aefcd 2 bytes JMP 7121000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000756b12a5 6 bytes JMP 7166000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000756b291f 6 bytes JMP 7139000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SetParent 00000000756b2d64 3 bytes JMP 7130000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SetParent + 4 00000000756b2d68 2 bytes JMP 7130000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000756b2da4 6 bytes JMP 7118000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000756b3698 3 bytes JMP 712d000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000756b369c 2 bytes JMP 712d000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000756b3baa 6 bytes JMP 7169000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 00000000756b3c61 6 bytes JMP 7163000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000756b6110 6 bytes JMP 716f000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000756b612e 6 bytes JMP 715d000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 00000000756b6c30 6 bytes JMP 711e000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756b7603 6 bytes JMP 7175000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000756b7668 6 bytes JMP 7148000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000756b76e0 6 bytes JMP 714e000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 00000000756b781f 6 bytes JMP 7157000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000756b835c 6 bytes JMP 7178000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 00000000756bc4b6 3 bytes JMP 712a000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 00000000756bc4ba 2 bytes JMP 712a000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000756cc112 6 bytes JMP 7145000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000756cd0f5 6 bytes JMP 7142000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756ceb96 6 bytes JMP 7136000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000756cec68 3 bytes JMP 713c000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000756cec6c 2 bytes JMP 713c000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SendInput 00000000756cff4a 3 bytes JMP 713f000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000756cff4e 2 bytes JMP 713f000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000756e9f1d 6 bytes JMP 7124000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000756f1497 6 bytes JMP 7115000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!mouse_event 000000007570027b 6 bytes JMP 717b000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757002bf 6 bytes JMP 717e000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075706cfc 6 bytes JMP 7151000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075706d5d 6 bytes JMP 714b000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075707dd7 3 bytes JMP 7127000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075707ddb 2 bytes JMP 7127000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757088eb 3 bytes JMP 7133000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757088ef 2 bytes JMP 7133000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770f58b3 6 bytes JMP 7190000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770f5ea6 6 bytes JMP 718a000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770f7bcc 6 bytes JMP 7199000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770fb895 6 bytes JMP 7181000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770fc332 6 bytes JMP 7187000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770fcbfb 6 bytes JMP 7193000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770fe743 6 bytes JMP 7196000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000077124857 6 bytes JMP 7184000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 718d000a .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c61465 2 bytes [C6, 77] .text C:\Users\Marcin\Desktop\e7tbxpm6.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c614bb 2 bytes [C6, 77] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\PROGRAMY\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4C 0xB2 0x36 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC0 0x67 0x99 0xD7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1E 0xA2 0x1D 0x43 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\PROGRAMY\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4C 0xB2 0x36 0x3E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC0 0x67 0x99 0xD7 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1E 0xA2 0x1D 0x43 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----