GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-14 21:50:10 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Samsung_SSD_840_EVO_120GB rev.EXT0DB6Q 111,79GB Running: h7lzxhzm.exe; Driver: C:\Users\Konrad\AppData\Local\Temp\fxddypow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773fda60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773fdc60 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773fda60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773fdc60 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\services.exe[592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\services.exe[592] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefde73440 6 bytes JMP 0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077196ef0 6 bytes {JMP QWORD [RIP+0x92a9140]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077198184 6 bytes {JMP QWORD [RIP+0x9387eac]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetParent 0000000077198530 6 bytes {JMP QWORD [RIP+0x92c7b00]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077199bcc 6 bytes {JMP QWORD [RIP+0x9026464]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!PostMessageA 000000007719a404 6 bytes {JMP QWORD [RIP+0x9065c2c]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!EnableWindow 000000007719aaa0 6 bytes {JMP QWORD [RIP+0x93c5590]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!MoveWindow 000000007719aad0 6 bytes {JMP QWORD [RIP+0x92e5560]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007719c720 6 bytes {JMP QWORD [RIP+0x9283910]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007719cd50 6 bytes {JMP QWORD [RIP+0x93632e0]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007719d2b0 6 bytes {JMP QWORD [RIP+0x90a2d80]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageA 000000007719d338 6 bytes {JMP QWORD [RIP+0x90e2cf8]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007719dc40 6 bytes {JMP QWORD [RIP+0x91c23f0]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007719f510 6 bytes {JMP QWORD [RIP+0x93a0b20]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007719f874 6 bytes {JMP QWORD [RIP+0x8fe07bc]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007719fac0 6 bytes {JMP QWORD [RIP+0x9140570]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000771a0b74 6 bytes {JMP QWORD [RIP+0x90bf4bc]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000771a33b0 6 bytes {JMP QWORD [RIP+0x903cc80]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000771a4d4d 5 bytes {JMP QWORD [RIP+0x8ffb2e4]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!GetKeyState 00000000771a5010 6 bytes {JMP QWORD [RIP+0x925b020]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000771a5438 6 bytes {JMP QWORD [RIP+0x917abf8]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageW 00000000771a6b50 6 bytes {JMP QWORD [RIP+0x90f94e0]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!PostMessageW 00000000771a76e4 6 bytes {JMP QWORD [RIP+0x907894c]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000771add90 6 bytes {JMP QWORD [RIP+0x91f22a0]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!GetClipboardData 00000000771ae874 6 bytes {JMP QWORD [RIP+0x93317bc]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000771af780 6 bytes {JMP QWORD [RIP+0x92f08b0]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000771b28e4 6 bytes {JMP QWORD [RIP+0x918d74c]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!mouse_event 00000000771b3894 6 bytes {JMP QWORD [RIP+0x8f8c79c]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000771b8a10 6 bytes {JMP QWORD [RIP+0x9227620]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000771b8be0 6 bytes {JMP QWORD [RIP+0x9107450]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000771b8c20 6 bytes {JMP QWORD [RIP+0x8fa7410]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendInput 00000000771b8cd0 6 bytes {JMP QWORD [RIP+0x9207360]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!BlockInput 00000000771bad60 6 bytes {JMP QWORD [RIP+0x93052d0]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000771e14e0 6 bytes {JMP QWORD [RIP+0x939eb50]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!keybd_event 00000000772045a4 6 bytes {JMP QWORD [RIP+0x8f1ba8c]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007720cc08 6 bytes {JMP QWORD [RIP+0x9173428]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007720df18 6 bytes {JMP QWORD [RIP+0x90f2118]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 0 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\system32\services.exe[592] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 1 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 3103a0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefde73440 6 bytes {JMP QWORD [RIP+0x1ecbf0]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP ffffffff .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefde73440 6 bytes {JMP QWORD [RIP+0x1ecbf0]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes JMP fb000000 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 2da438 .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes JMP 0 .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes JMP 0 .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP e9520 .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\System32\svchost.exe[404] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 200073 .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[472] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 660066 .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefde73440 6 bytes {JMP QWORD [RIP+0x1ecbf0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\SHELL32.dll!SHFileOperationW 00000000026a8f1c 5 bytes [FF, 25, 14, 71, DA] .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\SHELL32.dll!SHFileOperation 00000000028c22e4 6 bytes {JMP QWORD [RIP+0xb5dd4c]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x2bdd64]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2ddb70]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2fa440]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x277c98]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x257674]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x296d10]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x334648]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x313740]} .text C:\Windows\system32\atieclxx.exe[1364] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x1108b90]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefde73440 6 bytes {JMP QWORD [RIP+0x1ecbf0]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 51cb7bda .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1456] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 321e20 .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1592] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes JMP 0 .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 0 .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP f9058b48 .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[1644] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes JMP 0 .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70be000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70df000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 7178000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\KERNEL32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP c .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe[1812] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL 9b6 .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\taskhost.exe[1876] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 61437869 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP eeefab0b .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 69006d .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 4d0065 .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes JMP e20ddaf0 .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 2e9ca8 .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 6c5cfd8 .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe828f1c 5 bytes [FF, 25, 14, 71, E7] .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefea422e4 6 bytes {JMP QWORD [RIP+0xc3dd4c]} .text C:\Windows\Explorer.EXE[1092] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x1078b90]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 3be8 .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 2000000 .text C:\Program Files\ShrewSoft\VPN Client\iked.exe[1576] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x1078b90]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1088] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 0 .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 6d0020 .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 0 .text C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2096] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 09] .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 76] .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x6ddd64]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x6fdb70]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x71a440]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x547c98]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x527674]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x566d10]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x754648]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x733740]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2196] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x1078b90]} .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70bb000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70bb000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70dc000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70dc000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70c7000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70c7000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70cd000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70cd000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70c4000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70c4000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70f4000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70f4000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d0000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d0000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70e8000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70e8000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70e5000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70e5000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70ca000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70ca000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70b5000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70b5000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70fa000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70fa000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70fd000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70fd000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70d9000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70d9000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f1000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f1000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70f7000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70f7000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70eb000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70eb000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70ee000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70ee000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c1000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c1000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70b8000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70b8000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70d6000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70d6000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70be000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70be000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d3000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d3000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e2000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e2000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70df000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70df000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 7157000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 714b000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 7106000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 7145000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 713f000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 715d000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 710c000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 710c000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7151000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 7124000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 711b000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 711b000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7103000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 7118000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 7118000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 7154000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 714e000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 715a000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 7148000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 7109000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7160000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7133000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 7139000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7142000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7163000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 7115000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 7115000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7130000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 712d000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7121000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 7127000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 7127000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 712a000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 712a000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 710f000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7100000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 7166000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 7169000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 713c000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 7136000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7112000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7112000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 711e000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 711e000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 7175000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 716c000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7172000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 716f000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 7178000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 717b000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70be000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70df000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 7157000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 714b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 7145000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 711b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 711b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 7118000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 7154000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 714e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 7109000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7133000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 7115000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7130000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 712d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7121000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 7127000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 710f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7100000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 713c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 7136000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7112000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7112000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 711e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 7178000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP db28d6a5 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 2de7b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 30c380 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2408] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x1078b90]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL 9b6 .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe[2432] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes JMP 0 .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes JMP 0 .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes JMP 0 .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\system\GfsMgr64.exe[2448] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70c1000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70c1000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c7000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c7000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70c4000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70c4000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 712a000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7133000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7127000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 712d000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 712d000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 7130000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 7130000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 7115000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7106000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\GfsMgr.exe[2456] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70c1000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70c1000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c7000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c7000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70c4000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70c4000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 712a000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7133000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7127000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 712d000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 712d000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 7130000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 7130000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 7115000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7106000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ExMgr.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 4400431 .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes JMP 55c1600 .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 0 .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes JMP a70739c .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 2000000 .text C:\Program Files\HD Audio PCI-e Audio Device\CPL\FaceLift_x64.exe[2476] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x1078b90]} .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70bb000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70bb000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70dc000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70dc000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70c7000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70c7000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70cd000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70cd000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70c4000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70c4000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70f4000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70f4000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d0000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d0000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70e8000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70e8000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70e5000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70e5000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70ca000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70ca000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70b5000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70b5000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70fa000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70fa000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70fd000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70fd000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70d9000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70d9000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f1000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f1000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70f7000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70f7000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70eb000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70eb000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70ee000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70ee000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c1000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c1000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70b8000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70b8000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70d6000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70d6000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70be000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70be000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d3000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d3000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e2000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e2000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70df000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70df000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SetWindowLongW 0000000076d38332 6 bytes JMP 7157000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!PostThreadMessageW 0000000076d38bff 6 bytes JMP 714b000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 7106000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SendMessageW 0000000076d39679 6 bytes JMP 7145000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 713f000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000076d3ee09 6 bytes JMP 715d000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!RegisterHotKey 0000000076d3efc9 3 bytes JMP 710c000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 710c000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!PostMessageW 0000000076d412a5 6 bytes JMP 7151000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!GetKeyState 0000000076d4291f 6 bytes JMP 7124000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SetParent 0000000076d42d64 3 bytes JMP 711b000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SetParent + 4 0000000076d42d68 2 bytes JMP 711b000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!EnableWindow 0000000076d42da4 6 bytes JMP 7103000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!MoveWindow 0000000076d43698 3 bytes JMP 7118000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!MoveWindow + 4 0000000076d4369c 2 bytes JMP 7118000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!PostMessageA 0000000076d43baa 6 bytes JMP 7154000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!PostThreadMessageA 0000000076d43c61 6 bytes JMP 714e000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SetWindowLongA 0000000076d46110 6 bytes JMP 715a000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SendMessageA 0000000076d4612e 6 bytes JMP 7148000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 7109000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7160000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7133000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 7139000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7142000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7163000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 7115000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 7115000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7130000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 712d000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7121000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!GetKeyboardState 0000000076d5ec68 3 bytes JMP 7127000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 7127000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SendInput 0000000076d5ff4a 3 bytes JMP 712a000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SendInput + 4 0000000076d5ff4e 2 bytes JMP 712a000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!GetClipboardData 0000000076d79f1d 6 bytes JMP 710f000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!ExitWindowsEx 0000000076d81497 6 bytes JMP 7100000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!mouse_event 0000000076d9027b 6 bytes JMP 7166000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!keybd_event 0000000076d902bf 6 bytes JMP 7169000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 713c000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 7136000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!BlockInput 0000000076d97dd7 3 bytes JMP 7112000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7112000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 711e000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 711e000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 7175000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 716c000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7172000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 716f000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 7178000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 717b000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Konrad\AppData\Roaming\Spotify\SpotifyWebHelper.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2840] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2840] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes [9B, 71] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2840] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2840] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2840] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2840] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2840] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2840] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70b9000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70b9000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70da000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70da000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70c5000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70c5000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70cb000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70cb000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70c2000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70c2000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70f2000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70f2000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70ce000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70ce000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70e6000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70e6000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70e3000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70e3000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70c8000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70c8000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70b3000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70b3000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70f8000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70f8000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70fb000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70fb000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70d7000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70d7000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70ef000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70ef000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70f5000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70f5000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70e9000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70e9000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70ec000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70ec000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70bf000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70bf000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70b6000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70b6000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70d4000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70d4000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70bc000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70bc000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d1000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d1000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e0000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e0000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70dd000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70dd000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a6000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719a000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719a000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7185000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717c000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 7188000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7182000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 717f000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719d000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 7155000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7149000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 7104000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 7143000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 713d000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 715b000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 710a000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 710a000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 714f000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 7122000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 7119000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 7119000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7101000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 7116000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 7116000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 7152000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 714c000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7158000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 7146000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 7107000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 715e000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7131000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 7137000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7140000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7161000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 7113000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 7113000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 712e000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 712b000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 711f000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 7125000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 7125000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 7128000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 7128000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 710d000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 70fe000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 7164000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 7167000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 713a000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 7134000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7110000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7110000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 711c000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 711c000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718b000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 7173000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7194000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 718e000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 716a000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7170000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7191000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 716d000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 7176000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 7179000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7197000a .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 708d000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 708d000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70ae000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70ae000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 7099000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 7099000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 709f000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 709f000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 7096000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 7096000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70c6000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70c6000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70a2000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70a2000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70ba000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70ba000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70b7000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70b7000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 709c000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 709c000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 7087000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 7087000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70cc000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70cc000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70cf000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70cf000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70ab000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70ab000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70c3000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70c3000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70c9000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70c9000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70bd000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70bd000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70c0000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70c0000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 7093000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 7093000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 708a000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 708a000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70a8000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70a8000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 7090000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 7090000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70a5000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70a5000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70b4000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70b4000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70b1000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70b1000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7181000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 7178000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 7184000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 717e000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 717b000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 7129000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 711d000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 70d8000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 7117000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7111000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 712f000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 70de000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 70de000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7123000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 70f6000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 70ed000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 70ed000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 70d5000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 70ea000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 0000000076d43711 .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 7126000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7120000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 712c000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 711a000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 70db000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 715a000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7105000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 710b000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7114000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 715d000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 70e7000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 70e7000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7102000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 70ff000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 70f3000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 70e1000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 70d2000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 7160000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 7163000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 710e000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 7108000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 70e4000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 70e4000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 70f0000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 70f0000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 716f000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7166000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 716c000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 7169000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 7172000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 7175000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2932] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 709e000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 709e000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70aa000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70aa000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70b0000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70b0000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70a7000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70a7000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70b3000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70b3000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70ad000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70ad000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 7098000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 7098000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70da000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70da000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70a4000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70a4000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 709b000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 709b000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70a1000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70a1000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 713a000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 712e000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 70e9000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 7128000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7122000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7134000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 7107000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 70e6000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 70fb000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 70fb000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 7137000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7131000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 715a000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 712b000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 70ec000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7116000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 711c000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7125000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 70f8000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 70f8000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7113000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7110000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7104000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 710a000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 710a000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 710d000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 710d000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 70f2000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 70e3000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 711f000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 7119000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 70f5000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 70f5000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 7101000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 5 0000000076d988f0 1 byte [71] .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 7178000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\redirector.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 7094000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 7094000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70b5000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70b5000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70a0000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70a0000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70a6000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70a6000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 709d000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 709d000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70a9000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70a9000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70c1000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70c1000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70be000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70be000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70a3000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70a3000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 708e000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 708e000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70d3000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70d3000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70d6000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70d6000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70b2000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70b2000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70ca000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70ca000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70d0000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70d0000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70c4000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70c4000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 709a000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 709a000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 7091000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 7091000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70af000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70af000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 7097000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 7097000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70ac000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70ac000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70bb000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70bb000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70b8000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70b8000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7181000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 7178000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 7184000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 717e000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 717b000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 7151000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7145000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 70df000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 713f000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7139000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 7157000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 70e5000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 70e5000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 714b000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 70fd000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 70f4000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 70f4000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 70dc000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 70f1000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 70f1000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 714e000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7148000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7154000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 7142000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 70e2000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 715a000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 712d000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 7133000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 713c000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 715d000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 70ee000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 70ee000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7109000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7106000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 70fa000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 7100000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 7100000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 7103000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 7103000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 70e8000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 70d9000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 7160000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 7163000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 7136000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 7130000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 70eb000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 70eb000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 70f7000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 70f7000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 716f000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7166000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 716c000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 7169000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 7172000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 7175000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Command Center\MSIControlService.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70c1000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70d3000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70ca000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70ca000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70ee000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70ee000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 7100000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 7100000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 7103000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 7103000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70df000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70df000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f7000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f7000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70fd000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70f1000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70f1000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c7000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70be000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70be000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70dc000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70dc000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70c4000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70c4000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d9000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d9000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70e5000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 715d000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 714b000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 711e000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7160000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7166000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7139000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7106000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 7175000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBootService.exe[2156] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70c1000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70d3000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70ca000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70ca000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70ee000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70ee000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 7100000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 7100000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 7103000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 7103000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70df000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70df000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f7000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f7000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70fd000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70f1000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70f1000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c7000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70be000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70be000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70dc000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70dc000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70c4000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70c4000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d9000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d9000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70e5000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 715d000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 714b000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 711e000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7160000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7166000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7139000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7106000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 7175000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Super Charger\ChargeService.exe[2616] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 709b000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 709b000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70a7000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70a7000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70ad000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70ad000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70a4000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70a4000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70b0000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70b0000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70aa000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70aa000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 7095000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 7095000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70da000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70da000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70a1000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70a1000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 7098000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 7098000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 709e000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 709e000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70b3000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70b3000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7185000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717c000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 7188000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7182000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 717f000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 7142000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 712b000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 70e6000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 7125000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 711f000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 715b000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 713c000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 7104000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 70fb000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 70fb000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 70e3000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 70f8000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 70f8000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 713f000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 712e000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7145000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 7128000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 70e9000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 715e000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7113000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 7119000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7122000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7161000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 70f5000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 70f5000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7110000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 710d000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7101000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 7107000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 7107000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 710a000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 710a000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 70ef000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 70e0000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 7164000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 7167000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 711c000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 7116000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 7173000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 716a000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7170000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 716d000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 7176000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 7179000a .text C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[344] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 7096000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 7096000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70b7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70b7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70a2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70a2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70a8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70a8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 709f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 709f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70cf000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70cf000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70ab000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70ab000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70c3000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70c3000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70c0000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70c0000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70a5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70a5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 7090000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 7090000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70b4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70b4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70cc000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70cc000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70c6000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70c6000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70c9000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70c9000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 709c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 709c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 7093000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 7093000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70b1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70b1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 7099000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 7099000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70ae000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70ae000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70bd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70bd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70ba000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70ba000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7162000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 7159000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 7165000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 715f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 715c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 7132000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7126000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 70e1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 7120000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 711a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 7138000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 70e7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 70e7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 712c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 70ff000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 70f6000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 70f6000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 70de000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 70f3000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 70f3000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 712f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7129000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7135000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 7123000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 70e4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 713b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 710e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 7114000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 711d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 713e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 70f0000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 70f0000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 710b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7108000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 70fc000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 7102000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 7102000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 7105000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 7105000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 70ea000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 70db000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 7141000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 7144000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 7117000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 7111000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 70ed000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 70ed000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 7150000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7147000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 714d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 714a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 7153000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 7156000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3088] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a ? C:\Windows\system32\mssprxy.dll [3088] entry point in ".rdata" section 000000006ca071e6 .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL 9b6 .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 0 .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\system32\RAPID\SamsungRapidSvc.exe[3116] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes JMP 0 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 2a080a .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70bc000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70bc000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70dd000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70dd000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70c8000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70c8000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70ce000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70ce000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70c5000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70c5000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70f5000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70f5000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d1000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d1000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70e9000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70e9000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70e6000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70e6000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70cb000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70cb000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70b6000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70b6000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70fb000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70fb000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70fe000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70fe000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70da000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70da000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f2000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f2000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70f8000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70f8000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70ec000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70ec000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70ef000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70ef000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c2000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c2000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70b9000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70b9000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70d7000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70d7000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70bf000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70bf000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d4000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d4000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e3000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e3000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70e0000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70e0000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 715d000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7151000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 7107000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 714b000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7145000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 7163000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 710d000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 710d000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7157000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 7125000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 711c000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 711c000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7104000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 7119000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 7119000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 715a000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7154000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7160000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 714e000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 710a000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7166000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7139000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 713f000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7148000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7169000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 7116000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 7116000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7136000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7133000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7122000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 7128000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 7128000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 712b000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 712b000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 7110000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7101000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 716c000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 716f000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 7142000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 713c000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7113000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7113000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 711f000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 711f000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 717b000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7172000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7178000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 7175000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\KERNEL32.dll .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 70aa000a .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3296] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 70ad000a .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 38 .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP ee28a42c .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\system32\wbem\wmiprvse.exe[4000] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes JMP 0 .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70f5000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70f5000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70fb000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70fb000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70da000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70da000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70f8000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70f8000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 715d000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 7107000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 714b000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 710d000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 710d000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 7125000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 711c000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 711c000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7104000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 7119000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 7119000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7160000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 710a000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7139000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 7116000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 7116000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7122000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 7128000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 7128000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 712b000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 712b000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 7110000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7101000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7113000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7113000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 711f000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 711f000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 7175000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\shell32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 70b0000a .text C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[3452] C:\Windows\syswow64\shell32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 70b3000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 708e000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 708e000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70af000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70af000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 709a000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 709a000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70a0000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70a0000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 7097000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 7097000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70a3000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70a3000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 709d000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 709d000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 7088000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 7088000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70ac000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70ac000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70be000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70be000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 7094000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 7094000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 708b000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 708b000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70a9000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70a9000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 7091000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 7091000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70a6000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70a6000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70b2000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70b2000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 712e000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7122000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 70d9000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 711c000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7116000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 715d000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 70df000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 70df000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7128000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 70f7000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 70d6000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 712b000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7125000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7159000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 711f000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 70dc000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7160000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7106000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 7110000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7119000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7103000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7100000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 70f4000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 70e2000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 70d3000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 7169000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 7113000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 7109000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 7178000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 717b000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[932] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773fdb30 8 bytes JMP 000000016fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 8 bytes JMP 000000016fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes JMP 66 .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[5096] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\system32\svchost.exe[5116] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\System32\svchost.exe[5656] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Windows\system32\GWX\GWX.exe[5208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\GWX\GWX.exe[5208] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes JMP 234620 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[2696] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773fdb30 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 709c000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 709c000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes [BC, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70a8000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70a8000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes [AD, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes [A4, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes [B0, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes [C8, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70c6000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70c6000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70ab000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70ab000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 7096000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 7096000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes [DA, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70de000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70de000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes [B9, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes [D1, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes [D7, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes [CB, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70cf000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70cf000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes [A1, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 7099000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 7099000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes [B6, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes [9E, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes [B3, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes [C2, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes [BF, 70] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes [9B, 71] .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe[5640] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\regedit.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\regedit.exe[4656] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\regedit.exe[4656] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\regedit.exe[4656] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\regedit.exe[4656] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\regedit.exe[4656] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\regedit.exe[4656] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\regedit.exe[4656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes CALL b03 .text C:\Windows\regedit.exe[4656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\regedit.exe[4656] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\regedit.exe[4656] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\regedit.exe[4656] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\regedit.exe[4656] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes JMP 0 .text C:\Windows\regedit.exe[4656] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\regedit.exe[4656] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes JMP 0 .text C:\Windows\regedit.exe[4656] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\regedit.exe[4656] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\regedit.exe[4656] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x1078b90]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70ac000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70ac000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70a6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70a6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70b2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70b2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70a9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70a9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 7198000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 7198000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7183000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 7186000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7180000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 717d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 7153000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7147000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 7141000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 7159000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 714d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 7150000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 714a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7156000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 7144000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 715c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 713e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 715f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 7162000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 7165000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 7189000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 7171000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7192000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 718c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7168000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 716e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 718f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 716b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7195000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 7174000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 7177000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes {JMP QWORD [RIP+0x93023c0]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes {JMP QWORD [RIP+0x93a2310]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes {JMP QWORD [RIP+0x9402270]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes {JMP QWORD [RIP+0x92821a0]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes {JMP QWORD [RIP+0x92a2150]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes {JMP QWORD [RIP+0x91c1f30]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes {JMP QWORD [RIP+0x9221d20]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes {JMP QWORD [RIP+0x91e1cb0]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes {JMP QWORD [RIP+0x9441800]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes {JMP QWORD [RIP+0x92e0e90]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes {JMP QWORD [RIP+0x8dc0b20]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 06] .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes JMP 0 .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes {JMP QWORD [RIP+0x2da440]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes {JMP QWORD [RIP+0x237674]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes {JMP QWORD [RIP+0x276d10]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes {JMP QWORD [RIP+0x2f3740]} .text C:\Windows\System32\svchost.exe[6412] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x208b90]} .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70f5000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70f5000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70b6000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70b6000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 70fb000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 70fb000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70da000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70da000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70f8000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70f8000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c2000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c2000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 7107000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 710d000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 710d000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 7125000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 711c000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 711c000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7104000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 7119000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 7119000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 710a000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 7116000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 7116000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7122000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 7128000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 7128000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 712b000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 712b000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 7110000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7101000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7113000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7113000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 711f000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 711f000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\shell32.dll!SHFileOperationW 0000000076129650 6 bytes JMP 70b0000a .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[6488] C:\Windows\syswow64\shell32.dll!SHFileOperation 000000007632bb21 6 bytes JMP 70b3000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[5464] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3250 6 bytes {JMP QWORD [RIP+0x8c6cde0]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000773fdaa0 6 bytes {JMP QWORD [RIP+0x8c22590]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000773fdb70 6 bytes {JMP QWORD [RIP+0x94624c0]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773fdc70 6 bytes JMP 200065 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773fdce0 6 bytes {JMP QWORD [RIP+0x93e2350]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773fdd20 6 bytes JMP 200069 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000773fddc0 6 bytes JMP 20202020 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773fde30 6 bytes {JMP QWORD [RIP+0x9202200]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773fde50 6 bytes {JMP QWORD [RIP+0x93821e0]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773fde90 6 bytes JMP 200020 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773fdee0 6 bytes JMP 200020 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773fdf00 6 bytes {JMP QWORD [RIP+0x93c2130]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000773fe0f0 6 bytes {JMP QWORD [RIP+0x94a1f40]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000773fe100 6 bytes JMP 200079 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773fe200 6 bytes {JMP QWORD [RIP+0x91a1e30]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000773fe2d0 6 bytes {JMP QWORD [RIP+0x9321d60]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773fe310 6 bytes JMP 650073 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773fe380 6 bytes JMP 1002c .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000773fe3b0 6 bytes {JMP QWORD [RIP+0x9261c80]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773fe410 6 bytes {JMP QWORD [RIP+0x9241c20]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000773fe420 6 bytes {JMP QWORD [RIP+0x9421c10]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773fe430 6 bytes {JMP QWORD [RIP+0x9481c00]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773fe7a0 6 bytes {JMP QWORD [RIP+0x9341890]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000773fe830 6 bytes JMP 720068 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773ff0a0 6 bytes {JMP QWORD [RIP+0x9360f90]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773ff120 6 bytes {JMP QWORD [RIP+0x92c0f10]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773ff1a0 6 bytes JMP 0 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000772a18f0 6 bytes {JMP QWORD [RIP+0x8e5e740]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772adb10 6 bytes {JMP QWORD [RIP+0x8db2520]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007731f4e0 6 bytes {JMP QWORD [RIP+0x8d80b50]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007731f510 6 bytes JMP 69006b .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007731f6e0 6 bytes {JMP QWORD [RIP+0x8d60950]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 00000000773254b0 6 bytes {JMP QWORD [RIP+0x8d9ab80]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd2ab022 3 bytes [E8, 4F, 09] .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd2b60e0 5 bytes JMP 0 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd5222cc 6 bytes JMP 0 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd5224c0 6 bytes JMP 8 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd525bf0 6 bytes JMP 313d4e0 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd528398 6 bytes JMP 0 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd5289bc 6 bytes JMP 0 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd529320 6 bytes JMP 2e0065 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd52b9e8 6 bytes JMP d .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd52c8f0 6 bytes JMP 3458700 .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe828f1c 5 bytes [FF, 25, 14, 71, E7] .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefea422e4 6 bytes {JMP QWORD [RIP+0xc3dd4c]} .text F:\Pobieranie\FRST64.exe[6968] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe5e74a0 6 bytes {JMP QWORD [RIP+0x1078b90]} .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775afa20 3 bytes JMP 71af000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000775afa24 2 bytes JMP 71af000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000775afb68 3 bytes JMP 70c1000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 00000000775afb6c 2 bytes JMP 70c1000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afcf0 3 bytes JMP 70e2000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000775afcf4 2 bytes JMP 70e2000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775afda4 3 bytes JMP 70cd000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000775afda8 2 bytes JMP 70cd000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000775afe08 3 bytes JMP 70d3000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000775afe0c 2 bytes JMP 70d3000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000775aff00 3 bytes JMP 70ca000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000775aff04 2 bytes JMP 70ca000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775affb4 3 bytes JMP 70fa000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 00000000775affb8 2 bytes JMP 70fa000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000775affe4 3 bytes JMP 70d6000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000775affe8 2 bytes JMP 70d6000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000775b0044 3 bytes JMP 70ee000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000775b0048 2 bytes JMP 70ee000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000775b00c4 3 bytes JMP 70eb000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000775b00c8 2 bytes JMP 70eb000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775b00f4 3 bytes JMP 70d0000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000775b00f8 2 bytes JMP 70d0000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000775b03f8 3 bytes JMP 70bb000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000775b03fc 2 bytes JMP 70bb000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000775b0410 3 bytes JMP 7100000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000775b0414 2 bytes JMP 7100000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775b0590 3 bytes JMP 7103000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000775b0594 2 bytes JMP 7103000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000775b06d4 3 bytes JMP 70df000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000775b06d8 2 bytes JMP 70df000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000775b0734 3 bytes JMP 70f7000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000775b0738 2 bytes JMP 70f7000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775b07dc 3 bytes JMP 70fd000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000775b07e0 2 bytes JMP 70fd000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000775b0824 3 bytes JMP 70f1000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000775b0828 2 bytes JMP 70f1000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775b08b4 3 bytes JMP 70f4000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 00000000775b08b8 2 bytes JMP 70f4000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000775b08cc 3 bytes JMP 70c7000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000775b08d0 2 bytes JMP 70c7000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000775b08e4 3 bytes JMP 70be000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000775b08e8 2 bytes JMP 70be000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000775b0e34 3 bytes JMP 70dc000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000775b0e38 2 bytes JMP 70dc000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000775b0f18 3 bytes JMP 70c4000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000775b0f1c 2 bytes JMP 70c4000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000775b1c24 3 bytes JMP 70d9000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000775b1c28 2 bytes JMP 70d9000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000775b1cf4 3 bytes JMP 70e8000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000775b1cf8 2 bytes JMP 70e8000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000775b1dcc 3 bytes JMP 70e5000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000775b1dd0 2 bytes JMP 70e5000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d3b8c 6 bytes JMP 71a8000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754a3b93 3 bytes JMP 719c000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754a3b97 2 bytes JMP 719c000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000754a9a8c 6 bytes JMP 7187000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000754b3b52 6 bytes JMP 717e000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000754bccd1 6 bytes JMP 718a000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007550dc4e 6 bytes JMP 7184000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007550dcf1 6 bytes JMP 7181000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000757bf784 6 bytes JMP 719f000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000757c2ca4 4 bytes CALL 71ac0000 .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076d38332 6 bytes JMP 715d000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076d38bff 6 bytes JMP 7151000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076d390d3 6 bytes JMP 710c000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076d39679 6 bytes JMP 714b000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076d397d2 6 bytes JMP 7145000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076d3ee09 6 bytes JMP 7163000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076d3efc9 3 bytes JMP 7112000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076d3efcd 2 bytes JMP 7112000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076d412a5 6 bytes JMP 7157000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076d4291f 6 bytes JMP 712a000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SetParent 0000000076d42d64 3 bytes JMP 7121000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076d42d68 2 bytes JMP 7121000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076d42da4 6 bytes JMP 7109000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076d43698 3 bytes JMP 711e000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076d4369c 2 bytes JMP 711e000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076d43baa 6 bytes JMP 715a000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076d43c61 6 bytes JMP 7154000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076d46110 6 bytes JMP 7160000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076d4612e 6 bytes JMP 714e000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076d46c30 6 bytes JMP 710f000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076d47603 6 bytes JMP 7166000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076d47668 6 bytes JMP 7139000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076d476e0 6 bytes JMP 713f000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076d4781f 6 bytes JMP 7148000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076d4835c 6 bytes JMP 7169000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076d4c4b6 3 bytes JMP 711b000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076d4c4ba 2 bytes JMP 711b000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076d5c112 6 bytes JMP 7136000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076d5d0f5 6 bytes JMP 7133000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076d5eb96 6 bytes JMP 7127000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076d5ec68 3 bytes JMP 712d000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076d5ec6c 2 bytes JMP 712d000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SendInput 0000000076d5ff4a 3 bytes JMP 7130000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076d5ff4e 2 bytes JMP 7130000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076d79f1d 6 bytes JMP 7115000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076d81497 6 bytes JMP 7106000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076d9027b 6 bytes JMP 716c000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076d902bf 6 bytes JMP 716f000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076d96cfc 6 bytes JMP 7142000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076d96d5d 6 bytes JMP 713c000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076d97dd7 3 bytes JMP 7118000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076d97ddb 2 bytes JMP 7118000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076d988eb 3 bytes JMP 7124000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076d988ef 2 bytes JMP 7124000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750358b3 6 bytes JMP 718d000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075035ea5 6 bytes JMP 717b000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075037ba4 6 bytes JMP 7196000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007503b986 6 bytes JMP 7190000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007503ba5f 6 bytes JMP 7172000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007503cc01 6 bytes JMP 7178000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007503ea03 6 bytes JMP 7193000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075064969 6 bytes JMP 7175000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ad9d0b 6 bytes JMP 7199000a .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e51401 2 bytes JMP 754bb20b C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e51419 2 bytes JMP 754bb336 C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e51431 2 bytes JMP 75538f39 C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e5144a 2 bytes CALL 75494885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e514dd 2 bytes JMP 75538832 C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e514f5 2 bytes JMP 75538a08 C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e5150d 2 bytes JMP 75538728 C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e51525 2 bytes JMP 75538af2 C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e5153d 2 bytes JMP 754afc98 C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e51555 2 bytes JMP 754b68df C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e5156d 2 bytes JMP 75538ff1 C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e51585 2 bytes JMP 75538b52 C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e5159d 2 bytes JMP 755386ec C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e515b5 2 bytes JMP 754afd31 C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e515cd 2 bytes JMP 754bb2cc C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e516b2 2 bytes JMP 75538eb4 C:\Windows\syswow64\kernel32.dll .text F:\Pobieranie\h7lzxhzm.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e516bd 2 bytes JMP 75538681 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000ea1307e6b Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\2\Allowed@Num 121 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000ea1307e6b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----