GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-14 19:49:37 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000033 WDC_WD5000BPVT-80HXZT1 rev.01.01A01 465,76GB Running: bdp0db03.exe; Driver: C:\Users\Bozix-pan\AppData\Local\Temp\uxldqpod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd83ffac30 8 bytes JMP 00007ffd841200d8 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd83ffae30 8 bytes JMP 00007ffd84120110 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 8 bytes JMP 00007ffd84120148 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd83ffac30 8 bytes JMP 00007ffd841200d8 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd83ffae30 8 bytes JMP 00007ffd84120110 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 8 bytes JMP 00007ffd84120148 .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\services.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\services.exe[680] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\services.exe[680] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\services.exe[680] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd821bdf24 6 bytes {JMP QWORD [RIP+0x15210c]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd821deee0 6 bytes {JMP QWORD [RIP+0x111150]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x74eb90]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x76eb40]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x7ae400]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7eb310]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x7bb3a0]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ec88c]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x75667c]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ec270]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Windows\system32\services.exe[680] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\services.exe[680] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\services.exe[680] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\services.exe[680] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x70eb90]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x72eb40]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x76e400]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7ab310]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x77b3a0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ac88c]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x71667c]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ac270]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\lsass.exe[688] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd821bdf24 6 bytes {JMP QWORD [RIP+0x15210c]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd821deee0 6 bytes {JMP QWORD [RIP+0x111150]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x74eb90]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x76eb40]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x7ae400]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7eb310]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x7bb3a0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ec88c]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x75667c]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ec270]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd821bdf24 6 bytes {JMP QWORD [RIP+0x15210c]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd821deee0 6 bytes {JMP QWORD [RIP+0x111150]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x74eb90]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x76eb40]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x7ae400]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7eb310]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x7bb3a0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ec88c]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x75667c]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ec270]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[812] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x70eb90]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x72eb40]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x76e400]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7ab310]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x77b3a0]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ac88c]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x71667c]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ac270]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\GDI32.dll!BitBlt 00007ffd836f3d3c 6 bytes {JMP QWORD [RIP+0x47c2f4]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\GDI32.dll!CreateDCA 00007ffd83702458 6 bytes {JMP QWORD [RIP+0x3ddbd8]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\GDI32.dll!CreateDCW 00007ffd83702638 6 bytes {JMP QWORD [RIP+0x3fd9f8]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\GDI32.dll!StretchBlt 00007ffd83714c90 6 bytes {JMP QWORD [RIP+0x4bb3a0]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\GDI32.dll!GetPixel 00007ffd83714df0 6 bytes {JMP QWORD [RIP+0x40b240]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\GDI32.dll!MaskBlt 00007ffd83715444 6 bytes {JMP QWORD [RIP+0x47abec]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\GDI32.dll!PlgBlt 00007ffd83763a94 6 bytes {JMP QWORD [RIP+0x44c59c]} .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\dwm.exe[888] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x70eb90]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x72eb40]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x76e400]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7ab310]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x77b3a0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ac88c]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x71667c]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ac270]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x70eb90]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x72eb40]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x76e400]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7ab310]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x77b3a0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ac88c]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x71667c]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ac270]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd821bdf24 6 bytes {JMP QWORD [RIP+0x15210c]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd821deee0 6 bytes {JMP QWORD [RIP+0x111150]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x74eb90]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x76eb40]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x7ae400]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7eb310]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x7bb3a0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ec88c]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x75667c]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ec270]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x70eb90]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x72eb40]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x76e400]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7ab310]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x77b3a0]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ac88c]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x71667c]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ac270]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x70eb90]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x72eb40]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x76e400]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7ab310]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x77b3a0]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ac88c]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x71667c]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ac270]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\svchost.exe[512] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ffd821bdf24 6 bytes {JMP QWORD [RIP+0x15210c]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ffd821deee0 6 bytes {JMP QWORD [RIP+0x111150]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x74eb90]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x76eb40]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x7ae400]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7eb310]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x7bb3a0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ec88c]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x75667c]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ec270]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ffd83ffad00 8 bytes JMP 00007ffe83ea00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 8 bytes JMP 00007ffe83ea0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 8 bytes JMP 00007ffe83ea0110 .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x7aee80]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 4 bytes [FF, 25, 30, EE] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SetParent + 5 00007ffd81be1205 1 byte [00] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x70ee20]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x6eee10]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x7ceb90]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x7eeb40]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x82e400]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x76e3e0]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x86b310]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x503a90]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x723230]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x542f98]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x83b3a0]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x86c88c]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x72c220]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x55f160]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x4f919c]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x7d667c]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x86c270]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x4e3eb8]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x463464]} .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\taskhostex.exe[1528] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes JMP ff4a9d00 .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes JMP 0 .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x20aee80]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x208ee30]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x200ee20]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x1f6ee10]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x20ceb90]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x214eb40]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x218e400]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x206e3e0]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x223b310]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes JMP 12110e0c .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x503a90]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x2023230]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes JMP ffffffff .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes JMP b001c704 .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x220b3a0]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x223c88c]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x202c220]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes JMP ff4a9d00 .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x55f160]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x4f919c]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x213667c]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x223c270]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x4e3eb8]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x463464]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\GDI32.dll!BitBlt 00007ffd836f3d3c 6 bytes {JMP QWORD [RIP+0x47c2f4]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\GDI32.dll!CreateDCA 00007ffd83702458 6 bytes {JMP QWORD [RIP+0x3ddbd8]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\GDI32.dll!CreateDCW 00007ffd83702638 6 bytes {JMP QWORD [RIP+0x3fd9f8]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\GDI32.dll!StretchBlt 00007ffd83714c90 6 bytes {JMP QWORD [RIP+0x4bb3a0]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\GDI32.dll!GetPixel 00007ffd83714df0 6 bytes JMP 3a .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\GDI32.dll!MaskBlt 00007ffd83715444 6 bytes {JMP QWORD [RIP+0x47abec]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\GDI32.dll!PlgBlt 00007ffd83763a94 6 bytes {JMP QWORD [RIP+0x44c59c]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x70eb90]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x72eb40]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x76e400]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7ab310]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x77b3a0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ac88c]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x71667c]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ac270]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813700d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x1fcee80]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x1faee30]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x1f2ee20]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x1f0ee10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x1feeb90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x200eb40]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x204e400]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x1f8e3e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x52be90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 4 bytes [FF, 25, 10, B3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SystemParametersInfoW + 5 00007ffd81be4d25 1 byte [02] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x4eafb0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x563a90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x1f43230]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x1e22f98]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x205b3a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x208c88c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x1f4c220]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x1ebf160]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x4de750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x55919c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x1ff667c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x20fc270]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x1e43eb8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x4c3464]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x70eb90]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x72eb40]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x76e400]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7ab310]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x77b3a0]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ac88c]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x71667c]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ac270]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[1984] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x6eee80]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x58ee30]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x50ee20]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x4eee10]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x70eb90]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x72eb40]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x76e400]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x56e3e0]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x7ab310]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x443a90]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x523230]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x482f98]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x77b3a0]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x7ac88c]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x52c220]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x49f160]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x43919c]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x71667c]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x7ac270]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x423eb8]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x3a3464]} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\svchost.exe[2176] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813700d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x1fcee80]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x1faee30]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x1f2ee20]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x1f0ee10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x1feeb90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x200eb40]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x204e400]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x1f8e3e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x52be90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 4 bytes [FF, 25, 10, B3] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SystemParametersInfoW + 5 00007ffd81be4d25 1 byte [02] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x4eafb0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x563a90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x1f43230]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x1e22f98]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x205b3a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x208c88c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x1f4c220]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x1ebf160]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x4de750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x55919c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x1ff667c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x20fc270]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x1e43eb8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x4c3464]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 7F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 69] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 77] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 73] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 79] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 59] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 71] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 61] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 63] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 75] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 83] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 55] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 53] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 6B] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 5B] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 57] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 5F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 5D] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 7B] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 81] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 6D] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 7D] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x6f3c40]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x653ba0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x673b10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813700d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x281ee80]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x27fee30]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x277ee20]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x275ee10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x283eb90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x285eb40]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x289e400]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x27de3e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x25fcee4]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x25bcbd0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x267be90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x28db310]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x263afb0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x25961d0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2616010]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x26b3a90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x2793230]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x26f2f98]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x2531c2c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 3 bytes [25, D8, FD] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SetWinEventHook + 5 00007ffd81bf025d 1 byte [00] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x55d410]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x28ab3a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x28dc88c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x279c220]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x50a4f0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x25b9860]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 6 bytes {JMP QWORD [RIP+0x2209490]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x270f160]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x262e750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x26a919c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x284667c]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x4d4d40]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x28dc270]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x4f2cfc]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x2693eb8]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x2613464]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes JMP 19 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes JMP e82 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes JMP 1000100 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x20aee80]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x208ee30]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x200ee20]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x1f6ee10]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x20ceb90]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x218e400]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x206e3e0]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x223b310]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes JMP 17bd1 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x503a90]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x2023230]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x542f98]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x220b3a0]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x223c88c]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x202c220]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x55f160]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes JMP 9af09c1 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes JMP fffff901 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x213667c]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x223c270]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x463464]} .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\igfxtray.exe[1488] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x7aee80]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 4 bytes [FF, 25, 30, EE] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SetParent + 5 00007ffd81be1205 1 byte [00] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x70ee20]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x6eee10]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x7ceb90]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x7eeb40]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x82e400]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x76e3e0]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x86b310]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x503a90]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x723230]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x542f98]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x83b3a0]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x86c88c]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x72c220]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x55f160]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x4f919c]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x7d667c]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x86c270]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x4e3eb8]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x463464]} .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\conhost.exe[1860] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes {JMP QWORD [RIP+0x2c3b10]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x7aee80]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 4 bytes [FF, 25, 30, EE] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SetParent + 5 00007ffd81be1205 1 byte [00] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x70ee20]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x6eee10]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x7ceb90]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x7eeb40]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x82e400]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x76e3e0]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x86b310]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x503a90]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x723230]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x542f98]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x83b3a0]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x86c88c]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x72c220]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x55f160]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x4f919c]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x7d667c]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x86c270]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x4e3eb8]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x463464]} .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\system32\conhost.exe[2032] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes JMP 1be .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes [FF, 25, 60, 4F, 3A] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes JMP 168e1 .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes JMP 2e0032 .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes JMP 2e .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x20aee80]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x208ee30]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x200ee20]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x1f6ee10]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x20ceb90]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x218e400]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x206e3e0]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes JMP 690057 .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x35be90]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x223b310]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x503a90]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x2023230]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x542f98]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x220b3a0]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x202c220]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes JMP 70000 .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x55f160]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x4f919c]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x213667c]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes JMP 60009 .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x4e3eb8]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x463464]} .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\hkcmd.exe[1236] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes {JMP QWORD [RIP+0x1aa4d4]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 3C] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes JMP 1f0000 .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 3E] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes JMP 1be .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes JMP 61004e .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes [FF, 25, 50, 4D, 48] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes [FF, 25, 30, 4D, 1A] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes JMP 168e1 .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes [FF, 25, 30, 4B, 30] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes [FF, 25, 50, 4A, 1C] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes [FF, 25, B0, 49, 40] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes [FF, 25, 90, 45, 32] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 42] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes {JMP QWORD [RIP+0x343c40]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x2a3ba0]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes JMP 2e .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x20aee80]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x208ee30]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x200ee20]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x1f6ee10]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x20ceb90]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x218e400]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x206e3e0]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes {JMP QWORD [RIP+0x2dcee4]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes JMP 0 .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x223b310]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x31afb0]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x503a90]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x2023230]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x542f98]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x220b3a0]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x223c88c]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x202c220]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes JMP 70000 .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x55f160]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x30e750]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x4f919c]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x213667c]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x223c270]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes JMP 60009 .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x4e3eb8]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x463464]} .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Windows\System32\igfxpers.exe[3144] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes JMP 5c0032 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 44] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes [FF, 25, F0, 51, 2E] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes JMP a4f3a .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 38] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes JMP 244c8b48 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes [FF, 25, 30, 50, 1E] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 36] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes [FF, 25, D0, 4F, 26] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 28] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes JMP e9e9 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes JMP 3b7d60 C:\Program Files\COMODO\GeekBuddy\web-client.dll .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes [FF, 25, 30, 4C, 18] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes JMP 313e313d .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 20] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes [FF, 25, 20, 4A, 24] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes [FF, 25, C0, 49, 22] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes JMP 30f88301 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 46] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes JMP 8b48018b .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes JMP 2f883ff .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes JMP 74fe3b48 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes JMP 200c .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes JMP bac .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes {JMP QWORD [RIP+0x199c4c]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x80ee80]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x7eee30]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes JMP 4446e010 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x74ee10]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x82eb90]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x84eb40]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes {JMP QWORD [RIP+0x88e400]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x7ce3e0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes JMP 610062 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes {JMP QWORD [RIP+0x29cbd0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x52be90]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x8cb310]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x4eafb0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes {JMP QWORD [RIP+0x2761d0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes {JMP QWORD [RIP+0x2f6010]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x563a90]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x783230]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x6e2f98]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes {JMP QWORD [RIP+0x251c2c]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes {JMP QWORD [RIP+0x20fdd8]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes {JMP QWORD [RIP+0x1ed410]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x89b3a0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x8cc88c]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x78c220]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes {JMP QWORD [RIP+0x19a4f0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes {JMP QWORD [RIP+0x299860]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes [FF, 25, 90, 94, 21] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x6ff160]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes {JMP QWORD [RIP+0x4de750]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x55919c]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes {JMP QWORD [RIP+0x83667c]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x8cc270]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x683eb8]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes {JMP QWORD [RIP+0x4c3464]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffd83fb5b5c 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffd83ffac70 5 bytes [FF, 25, C0, 53, 14] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffd83ffad40 5 bytes [FF, 25, F0, 52, 51] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd83ffae40 5 bytes JMP 50244c8b .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffd83ffaeb0 5 bytes [FF, 25, 80, 51, 49] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd83ffaef0 5 bytes [FF, 25, 40, 51, 45] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffd83ffaf90 5 bytes [FF, 25, A0, 50, 4B] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd83ffb000 5 bytes JMP 1a641 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd83ffb020 5 bytes [FF, 25, 10, 50, 43] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd83ffb060 5 bytes JMP 246c8b48 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd83ffb0b0 5 bytes [FF, 25, 80, 4F, 35] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffd83ffb0d0 5 bytes JMP 351cf0 C:\Program Files\COMODO\GeekBuddy\web-client.dll .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ffd83ffb2e0 5 bytes JMP 10001 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ffd83ffb300 5 bytes JMP 33313731 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd83ffb400 5 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00007ffd83ffb500 5 bytes JMP 4c8b4830 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd83ffb550 5 bytes [FF, 25, E0, 4A, 2D] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd83ffb5e0 5 bytes JMP 1857 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00007ffd83ffb610 5 bytes JMP 320d75c0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd83ffb670 5 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ffd83ffb680 5 bytes JMP 2e346572 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd83ffb690 5 bytes [FF, 25, A0, 49, 53] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd83ffbaa0 5 bytes JMP 24548948 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ffd83ffbb30 5 bytes [FF, 25, 00, 45, 4F] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd83ffc3f0 6 bytes JMP ccccccc3 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd83ffc490 6 bytes {JMP QWORD [RIP+0x373ba0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd83ffc520 6 bytes JMP 850f1238 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ffd813a6176 3 bytes [94, 9E, 10] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffd813afd34 5 bytes JMP 00007ffe813900d8 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ffd813b8430 5 bytes [FF, 25, 00, 7C, 14] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\KERNELBASE.dll!MoveFileWithProgressTransactedW + 1 00007ffd813c5511 5 bytes {JMP QWORD [RIP+0x15ab20]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\KERNELBASE.dll!CopyFileExW 00007ffd813c63e4 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\KERNELBASE.dll!CopyFile2 00007ffd8141f678 6 bytes {JMP QWORD [RIP+0x1209b8]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!MoveWindow 00007ffd81be11b0 6 bytes {JMP QWORD [RIP+0x228ee80]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SetParent 00007ffd81be1200 6 bytes {JMP QWORD [RIP+0x226ee30]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!GetKeyboardState 00007ffd81be1210 6 bytes {JMP QWORD [RIP+0x217ee20]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SendInput 00007ffd81be1220 6 bytes {JMP QWORD [RIP+0x215ee10]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SetClipboardViewer 00007ffd81be14a0 6 bytes {JMP QWORD [RIP+0x22aeb90]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!BlockInput 00007ffd81be14f0 6 bytes {JMP QWORD [RIP+0x253eb40]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!RegisterHotKey 00007ffd81be1c30 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00007ffd81be1c50 6 bytes {JMP QWORD [RIP+0x224e3e0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!PostThreadMessageW 00007ffd81be314c 6 bytes JMP 12d05 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!PostMessageW 00007ffd81be3460 6 bytes JMP 4f09 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SendMessageTimeoutW + 1 00007ffd81be41a1 5 bytes {JMP QWORD [RIP+0x200be90]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00007ffd81be4d20 6 bytes {JMP QWORD [RIP+0x25fb310]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SendMessageW 00007ffd81be5080 6 bytes {JMP QWORD [RIP+0x58afb0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!PostMessageA 00007ffd81be9e60 6 bytes JMP 68736157 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SendMessageA 00007ffd81bea020 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00007ffd81bec5a0 6 bytes {JMP QWORD [RIP+0x2043a90]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!GetKeyState + 1 00007ffd81bece01 5 bytes {JMP QWORD [RIP+0x2203230]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00007ffd81bed098 6 bytes {JMP QWORD [RIP+0x2082f98]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SetWindowLongW 00007ffd81bee404 6 bytes JMP 53006e .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00007ffd81bf0259 5 bytes JMP 1238fd59 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00007ffd81bf2c20 6 bytes JMP 43 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00007ffd81bf4c90 6 bytes {JMP QWORD [RIP+0x25cb3a0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!EnableWindow 00007ffd81c037a4 6 bytes {JMP QWORD [RIP+0x25fc88c]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00007ffd81c03e10 6 bytes {JMP QWORD [RIP+0x220c220]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!mouse_event 00007ffd81c05b40 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!PostThreadMessageA 00007ffd81c067d0 6 bytes JMP c4b .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SetWindowLongA 00007ffd81c06ba0 5 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00007ffd81c10ed0 6 bytes {JMP QWORD [RIP+0x210f160]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00007ffd81c118e0 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00007ffd81c16e94 6 bytes {JMP QWORD [RIP+0x203919c]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!GetClipboardData 00007ffd81c199b4 6 bytes JMP 1 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!keybd_event 00007ffd81c1b2f0 6 bytes {JMP QWORD [RIP+0x164d40]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!ExitWindowsEx 00007ffd81c23dc0 6 bytes {JMP QWORD [RIP+0x25fc270]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00007ffd81c3d334 6 bytes {JMP QWORD [RIP+0x182cfc]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 00007ffd81c6c178 6 bytes {JMP QWORD [RIP+0x2023eb8]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\USER32.dll!SendMessageCallbackA 00007ffd81c6cbcc 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd83d8169a 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd83d816a2 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd83d8181a 4 bytes [D8, 83, FD, 7F] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd83d81832 4 bytes [D8, 83, FD, 7F] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\services.exe[680] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\services.exe[680] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\services.exe[680] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\lsass.exe[688] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\lsass.exe[688] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\lsass.exe[688] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[764] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[764] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[764] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[812] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[812] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[812] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\dwm.exe[888] @ C:\Windows\system32\dwm.exe[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\dwm.exe[888] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\dwm.exe[888] @ C:\Windows\system32\dwmredir.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\dwm.exe[888] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\dwm.exe[888] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\dwm.exe[888] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\dwm.exe[888] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\dwm.exe[888] @ C:\Windows\system32\uDWM.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\dwm.exe[888] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\dwm.exe[888] @ C:\Windows\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\svchost.exe[956] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[956] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[956] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\System32\svchost.exe[992] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\System32\svchost.exe[992] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\System32\svchost.exe[992] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[1020] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[1020] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[1020] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[1020] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[1020] @ c:\windows\system32\ATL.DLL[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[396] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[396] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[396] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\System32\svchost.exe[512] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\System32\svchost.exe[512] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\System32\svchost.exe[512] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\taskhostex.exe[1528] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\taskhostex.exe[1528] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\taskhostex.exe[1528] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\taskhostex.exe[1528] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\taskhostex.exe[1528] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\taskhostex.exe[1528] @ C:\Windows\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\taskhostex.exe[1528] @ C:\Windows\system32\MSUTB.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\taskhostex.exe[1528] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\Explorer.EXE[USER32.dll!PeekMessageW] [6c0245f0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\Explorer.EXE[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\Explorer.EXE[dwmapi.dll!DwmEnableBlurBehindWindow] [6c022360] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\SHELL32.dll[USER32.dll!UnloadKeyboardLayout] [6c01dbc0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\UxTheme.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\DUI70.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\DUI70.dll[KERNEL32.dll!FindResourceW] [7ffd79c42170] C:\Windows\System32\OldNewExplorer64.dll IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\DUser.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\twinui.dll[USER32.dll!ShowWindow] [6c022a60] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\twinui.dll[USER32.dll!GetSystemMetrics] [6c009cd0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\twinui.dll[USER32.dll!PostMessageW] [6c022af0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\twinui.dll[USER32.dll!TrackPopupMenu] [6c022f00] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\twinui.dll[USER32.dll!SetCursorPos] [6c023080] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\twinui.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\twinui.dll[dwmapi.dll!DwmSetWindowAttribute] [6c0230d0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\explorerframe.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\SearchFolder.dll[USER32.dll!UnloadKeyboardLayout] [6c01dbc0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\MsftEdit.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\authui.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\System32\thumbcache.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\System32\InputSwitch.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\stobject.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\BatMeter.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.16384_none_9332526147499ed1\gdiplus.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\prnfldr.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\SYSTEM32\ntshrui.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\System32\AltTab.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\WSShared.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\System32\Windows.UI.Xaml.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\System32\hgcpl.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\System32\werconcpl.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\Explorer.EXE[1704] @ C:\Windows\system32\NetworkExplorer.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1832] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[1924] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[1984] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[1984] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[1984] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[1984] @ C:\Windows\System32\ATL.DLL[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[2176] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[2176] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Windows\system32\svchost.exe[2176] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[316] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83980000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83cb0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83cb0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffd83cb0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83cb0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] @ C:\Windows\SYSTEM32\d3d9.dll[GDI32.dll!DeleteDC] [7ffd83cb0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.16384_none_9332526147499ed1\gdiplus.dll[GDI32.dll!DeleteDC] [7ffd83cb0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] @ C:\Windows\SYSTEM32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffd83cb0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffd83cb0000] IAT C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[1600] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffd83cb0000] IAT C:\Windows\System32\igfxtray.exe[1488] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\igfxtray.exe[1488] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\igfxtray.exe[1488] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\igfxtray.exe[1488] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\igfxtray.exe[1488] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\igfxtray.exe[1488] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\igfxtray.exe[1488] @ C:\Windows\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\conhost.exe[1860] @ C:\Windows\system32\conhost.exe[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\conhost.exe[1860] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\conhost.exe[1860] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\conhost.exe[1860] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\conhost.exe[1860] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\conhost.exe[2032] @ C:\Windows\system32\conhost.exe[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\conhost.exe[2032] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\conhost.exe[2032] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\conhost.exe[2032] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\conhost.exe[2032] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\conhost.exe[2032] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\conhost.exe[2032] @ C:\Windows\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\system32\conhost.exe[2032] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\comctl32.DLL[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\hkcmd.exe[1236] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\hkcmd.exe[1236] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\hkcmd.exe[1236] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\hkcmd.exe[1236] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\hkcmd.exe[1236] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\hkcmd.exe[1236] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\hkcmd.exe[1236] @ C:\Windows\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\igfxpers.exe[3144] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\igfxpers.exe[3144] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\igfxpers.exe[3144] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\igfxpers.exe[3144] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\igfxpers.exe[3144] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\igfxpers.exe[3144] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Windows\System32\igfxpers.exe[3144] @ C:\Windows\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[3356] @ C:\Windows\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] @ C:\Windows\system32\COMDLG32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] @ C:\Windows\system32\USER32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\COMCTL32.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] IAT C:\Program Files\COMODO\GeekBuddy\unit.exe[3476] @ C:\Windows\system32\dwmapi.dll[GDI32.dll!DeleteDC] [7ffd83ac0000] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [588:1472] fffff96000846b90 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x47 0x56 0xCD 0x60 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xCA 0x53 0xA4 0xA0 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x47 0x56 0xCD 0x60 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xF5 0x28 0xA6 0xA0 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 101 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO26EC0_01_07D9_65^8C35842E00795679DA68617EE50115F9@Timestamp 0xEB 0x48 0x9E 0x63 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 716 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\Bozix-pan\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\Bozix-pan\AppData\Local\Temp\~nsu.tmp??\??\C:\Users\Bozix-pan\AppData\Local\Temp\nsb93FE.tmp\??\??\C:\Users\Bozix-pan\AppData\Local\Temp\nsb93FE.tmp\Lang\ENU.dll??\??\C:\Users\Bozix-pan\AppData\Local\Temp\nsb93FE.tmp\Lang\PLK.dll?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900080 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1477498470 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 104 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 450429049 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 7520 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 87c10615-6335-49de-b26c-09103a1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{47d730ee-5231-43df-a4a2-7473519ca591}@LastProbeTime 1439553866 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Pt?, ?sie ?14 ?15, 12:04:23??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2901 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 872 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 103 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8919913D-0045-46DE-AE51-E0F5B599F26F}@LeaseObtainedTime 1439546661 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8919913D-0045-46DE-AE51-E0F5B599F26F}@T1 1439589861 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8919913D-0045-46DE-AE51-E0F5B599F26F}@T2 1439622261 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8919913D-0045-46DE-AE51-E0F5B599F26F}@LeaseTerminatesTime 1439633061 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\iexplore@Count 707 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Count 285 ---- Files - GMER 2.1 ---- ADS C:\Windows\notepad.exe:Zone.Identifier 925184 bytes executable ADS C:\Windows\System32\notepad.exe:Zone.Identifier 925184 bytes executable ADS C:\Windows\WinSxS\amd64_microsoft-windows-notepadwin_31bf3856ad364e35_6.3.9600.16384_none_33882ce9cf04143d\notepad.exe:Zone.Identifier 925184 bytes executable ADS C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_6.3.9600.16384_none_5fd8ed8643f6c1e7\notepad.exe:Zone.Identifier 925184 bytes executable ---- EOF - GMER 2.1 ----