GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-05 14:34:38 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000LPVX-22V0TT0 rev.01.01A01 465,76GB Running: u60jl4sq.exe; Driver: C:\Users\Pawel\AppData\Local\Temp\pxldrpob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c1da60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c1dc60 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c1da60 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c1dc60 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\services.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\services.exe[740] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feffab3440 6 bytes JMP 7700f3 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077ad7640 6 bytes {JMP QWORD [RIP+0x89689f0]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077ad9554 6 bytes {JMP QWORD [RIP+0x8a46adc]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SetParent 0000000077ad9870 6 bytes {JMP QWORD [RIP+0x89867c0]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077adc044 6 bytes {JMP QWORD [RIP+0x86e3fec]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!PostMessageA 0000000077adca54 6 bytes {JMP QWORD [RIP+0x87235dc]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!EnableWindow 0000000077add0f0 6 bytes {JMP QWORD [RIP+0x8a82f40]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!MoveWindow 0000000077add120 6 bytes {JMP QWORD [RIP+0x89a2f10]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000077adf0c4 6 bytes {JMP QWORD [RIP+0x8940f6c]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000077adf690 6 bytes {JMP QWORD [RIP+0x8a209a0]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000077adfc50 6 bytes {JMP QWORD [RIP+0x87603e0]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SendMessageA 0000000077adfcd8 6 bytes {JMP QWORD [RIP+0x87a0358]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000077ae03f0 6 bytes {JMP QWORD [RIP+0x887fc40]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000077ae1f30 6 bytes {JMP QWORD [RIP+0x8a5e100]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000077ae2294 6 bytes {JMP QWORD [RIP+0x869dd9c]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077ae3464 6 bytes {JMP QWORD [RIP+0x877cbcc]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000077ae5c34 6 bytes {JMP QWORD [RIP+0x86fa3fc]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077ae71e9 5 bytes {JMP QWORD [RIP+0x86b8e48]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!GetKeyState 0000000077ae78c0 6 bytes {JMP QWORD [RIP+0x8918770]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077ae8e28 4 bytes [FF, 25, 08, 72] .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SendMessageCallbackW + 5 0000000077ae8e2d 1 byte [08] .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000077ae8f9c 6 bytes {JMP QWORD [RIP+0x87f7094]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!PostMessageW 0000000077ae92d4 6 bytes {JMP QWORD [RIP+0x8736d5c]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SendMessageW 0000000077aea800 6 bytes {JMP QWORD [RIP+0x87b5830]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000077af0bf8 6 bytes {JMP QWORD [RIP+0x88af438]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!GetClipboardData 0000000077af1584 6 bytes {JMP QWORD [RIP+0x89eeaac]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000077af2360 6 bytes {JMP QWORD [RIP+0x89adcd0]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000077af5508 6 bytes {JMP QWORD [RIP+0x884ab28]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!mouse_event 0000000077af62c4 6 bytes {JMP QWORD [RIP+0x8649d6c]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077af91a0 6 bytes {JMP QWORD [RIP+0x88e6e90]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077af92e0 6 bytes {JMP QWORD [RIP+0x87c6d50]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077af9320 6 bytes {JMP QWORD [RIP+0x8666d10]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SendInput 0000000077af93d0 6 bytes {JMP QWORD [RIP+0x88c6c60]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!BlockInput 0000000077afb430 6 bytes {JMP QWORD [RIP+0x89c4c00]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000077b216e0 6 bytes {JMP QWORD [RIP+0x8a5e950]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!keybd_event 0000000077b44474 6 bytes {JMP QWORD [RIP+0x85dbbbc]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000077b4cc58 6 bytes {JMP QWORD [RIP+0x88333d8]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000077b4dec8 6 bytes {JMP QWORD [RIP+0x87b2168]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP 630061 .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\Windows\system32\services.exe[740] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes JMP 6f2d .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes JMP 6e0069 .text C:\Windows\system32\lsass.exe[748] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes JMP 620057 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes JMP 0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP 1000100 .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes JMP 9b3 .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\Windows\system32\lsm.exe[756] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feffab3440 6 bytes {JMP QWORD [RIP+0x12cbf0]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feffab3440 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes JMP 5d30ba3e .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes JMP 425e9b10 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[312] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077c1db30 8 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 8 bytes JMP 000000016fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP 1000100 C:\Windows\system32\WS2_32.dll .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes JMP 9b3 .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\Windows\System32\svchost.exe[648] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes JMP 1b00500a .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes JMP 2 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes JMP 5b11b00 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes JMP 7b8 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes JMP 165f165f .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes JMP 1e0028 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes JMP 7bb95f1 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes JMP 441682 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes JMP 150027 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes JMP 280028 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes JMP 1d0026 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes JMP 50cbe81 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes JMP 90009 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes JMP 81671a8 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes JMP 7457821 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes JMP 1d0029 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes JMP 7f899d8 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes JMP 681 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes JMP 7facce1 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes JMP 7facce1 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes JMP 8240eb9 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes JMP 742aae0 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes JMP 5d3ad21 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes JMP 81 .text C:\Windows\System32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes JMP 602e5d0 .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes JMP 20c681 .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes JMP 9448c28 .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes JMP e2a6081 .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes JMP 5de8059 .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\Windows\System32\svchost.exe[832] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feffab3440 6 bytes {JMP QWORD [RIP+0x12cbf0]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe138fe4 5 bytes JMP a2aee8cc .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe352398 6 bytes {JMP QWORD [RIP+0xb6dc98]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL 0 .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes JMP 876e0 .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP 1000c .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x22a440]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x264648]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x243740]} .text C:\Windows\system32\AUDIODG.EXE[1120] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes JMP 0 .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0E] .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x20db70]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x22a440]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x264648]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x243740]} .text C:\Windows\system32\igfxCUIService.exe[1280] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\Windows\system32\Dwm.exe[1512] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x23dd64]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x25db70]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x27a440]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1580] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes JMP ffd3d3d6 .text C:\Windows\Explorer.EXE[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0C] .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x20db70]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x22a440]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x264648]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x243740]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe138fe4 5 bytes [FF, 25, 4C, 70, DA] .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe352398 6 bytes {JMP QWORD [RIP+0xb6dc98]} .text C:\Windows\Explorer.EXE[1588] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feffab3440 6 bytes {JMP QWORD [RIP+0x12cbf0]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL 9b6 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x20db70]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x22a440]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes JMP 0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077dcfa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077dcfa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077dcfb68 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077dcfb6c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077dcfcf0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077dcfcf4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077dcfda4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077dcfda8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077dcfe08 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077dcfe0c 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077dcff00 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077dcff04 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077dcffb4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077dcffb8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077dcffe4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077dcffe8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077dd0044 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077dd0048 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077dd00c4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077dd00c8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077dd00f4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077dd00f8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077dd03f8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077dd03fc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077dd0410 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077dd0414 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077dd0590 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077dd0594 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077dd06d4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077dd06d8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077dd0734 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077dd0738 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077dd07dc 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077dd07e0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077dd0824 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077dd0828 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077dd08b4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077dd08b8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077dd08cc 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077dd08d0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077dd08e4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077dd08e8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077dd0e34 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077dd0e38 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077dd0f18 3 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077dd0f1c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077dd1c24 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077dd1c28 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077dd1cf4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077dd1cf8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077dd1dcc 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077dd1dd0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077df3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000777e3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000777e3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000777e9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000777f3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000777fccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007784dc76 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007784dd19 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007578f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000075792ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075ac8b7c 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075ac8e6e 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075accd35 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075acd0da 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075acd277 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075acd27b 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075acf0e6 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ad0f14 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075ad0f9f 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075ad0fa3 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ad2902 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ad35fb 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ad35ff 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ad3cbf 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ad3d76 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ad3f14 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ad3f18 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ad3f54 6 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075ad4858 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075ad492a 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075ad492e 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ad8364 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075adb7e6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075adb7ea 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075adc991 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ae06b3 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ae090f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075ae2959 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075aeeef4 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075aeef4a 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075aef422 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075aef9b0 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075af0f60 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SendInput 0000000075af195e 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075af1962 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075b09f3b 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075b115ef 6 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b2040b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b2044f 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b26e8c 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b26eed 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b27f67 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b27f6b 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b28a7b 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b28a7f 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764158b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076415ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076417ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007641b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007641ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007641cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007641ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076444969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076759698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007695bae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077699d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000778d1401 2 bytes JMP 777fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000778d1419 2 bytes JMP 777fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000778d1431 2 bytes JMP 77878fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000778d144a 2 bytes CALL 777d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000778d14dd 2 bytes JMP 778788c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000778d14f5 2 bytes JMP 77878aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000778d150d 2 bytes JMP 778787ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000778d1525 2 bytes JMP 77878b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000778d153d 2 bytes JMP 777efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000778d1555 2 bytes JMP 777f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000778d156d 2 bytes JMP 77879089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000778d1585 2 bytes JMP 77878bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000778d159d 2 bytes JMP 7787877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000778d15b5 2 bytes JMP 777efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000778d15cd 2 bytes JMP 777fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000778d16b2 2 bytes JMP 77878f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000778d16bd 2 bytes JMP 77878713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0C] .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x20db70]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x22a440]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes JMP 6b0069 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x264648]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x243740]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1956] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0C] .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes JMP 0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP 0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x27a440]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes JMP 0 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x2b4648]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x293740]} .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2000] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0C] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP 3d14872d .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x22a440]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x264648]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x243740]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2008] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes JMP 0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0C] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes JMP 0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP 0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes JMP 1 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x264648]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x243740]} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2032] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0C] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x20db70]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x22a440]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x264648]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x243740]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1056] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes JMP 0 .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\Windows\system32\RunDll32.exe[2260] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes JMP 0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2864] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0C] .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP fffda000 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x22a440]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes JMP 6b0069 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x243740]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2996] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0C] .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes JMP 260033 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3004] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077c1db30 8 bytes JMP 000000016fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 8 bytes JMP 000000016fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\Windows\system32\svchost.exe[3372] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes JMP ffb5f9d0 .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes JMP 6d9a7942 .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes JMP 4d454d4c .text C:\Windows\system32\SearchIndexer.exe[3428] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\KERNEL32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\KERNEL32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\KERNEL32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x14a440]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x163740]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3516] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP 21a .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x22a440]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x264648]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x243740]} .text C:\Windows\system32\igfxEM.exe[2196] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x20db70]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes JMP 0 .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x264648]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x243740]} .text C:\Windows\system32\igfxHK.exe[2148] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x20db70]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x22a440]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x264648]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x243740]} .text C:\Windows\system32\igfxTray.exe[2812] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077dcfa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077dcfa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077dcfb68 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077dcfb6c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077dcfcf0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077dcfcf4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077dcfda4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077dcfda8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077dcfe08 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077dcfe0c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077dcff00 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077dcff04 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077dcffb4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077dcffb8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077dcffe4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077dcffe8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077dd0044 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077dd0048 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077dd00c4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077dd00c8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077dd00f4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077dd00f8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077dd03f8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077dd03fc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077dd0410 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077dd0414 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077dd0590 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077dd0594 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077dd06d4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077dd06d8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077dd0734 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077dd0738 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077dd07dc 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077dd07e0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077dd0824 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077dd0828 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077dd08b4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077dd08b8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077dd08cc 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077dd08d0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077dd08e4 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077dd08e8 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077dd0e34 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077dd0e38 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077dd0f18 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077dd0f1c 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077dd1c24 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077dd1c28 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077dd1cf4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077dd1cf8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077dd1dcc 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077dd1dd0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077df3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000777e3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000777e3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000777e9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000777f3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000777fccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007784dc76 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007784dd19 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007578f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000075792ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075ac8b7c 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075ac8e6e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075accd35 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075acd0da 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075acd277 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075acd27b 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075acf0e6 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ad0f14 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075ad0f9f 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075ad0fa3 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ad2902 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ad35fb 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ad35ff 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ad3cbf 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ad3d76 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ad3f14 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ad3f18 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ad3f54 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075ad4858 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075ad492a 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075ad492e 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ad8364 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075adb7e6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075adb7ea 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075adc991 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ae06b3 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ae090f 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075ae2959 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075aeeef4 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075aeef4a 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075aef422 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075aef9b0 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075af0f60 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SendInput 0000000075af195e 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075af1962 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075b09f3b 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075b115ef 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b2040b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b2044f 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b26e8c 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b26eed 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b27f67 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b27f6b 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b28a7b 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b28a7f 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764158b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076415ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076417ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007641b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007641ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007641cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007641ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076444969 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077699d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000778d1401 2 bytes JMP 777fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000778d1419 2 bytes JMP 777fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000778d1431 2 bytes JMP 77878fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000778d144a 2 bytes CALL 777d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000778d14dd 2 bytes JMP 778788c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000778d14f5 2 bytes JMP 77878aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000778d150d 2 bytes JMP 778787ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000778d1525 2 bytes JMP 77878b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000778d153d 2 bytes JMP 777efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000778d1555 2 bytes JMP 777f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000778d156d 2 bytes JMP 77879089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000778d1585 2 bytes JMP 77878bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000778d159d 2 bytes JMP 7787877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000778d15b5 2 bytes JMP 777efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000778d15cd 2 bytes JMP 777fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000778d16b2 2 bytes JMP 77878f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[692] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000778d16bd 2 bytes JMP 77878713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077dcfa20 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077dcfa24 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077dcfb68 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077dcfb6c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077dcfcf0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077dcfcf4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077dcfda4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077dcfda8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077dcfe08 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077dcfe0c 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077dcff00 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077dcff04 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077dcffb4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077dcffb8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077dcffe4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077dcffe8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077dd0044 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077dd0048 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077dd00c4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077dd00c8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077dd00f4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077dd00f8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077dd03f8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077dd03fc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077dd0410 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077dd0414 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077dd0590 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077dd0594 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077dd06d4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077dd06d8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077dd0734 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077dd0738 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077dd07dc 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077dd07e0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077dd0824 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077dd0828 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077dd08b4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077dd08b8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077dd08cc 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077dd08d0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077dd08e4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077dd08e8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077dd0e34 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077dd0e38 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077dd0f18 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077dd0f1c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077dd1c24 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077dd1c28 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077dd1cf4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077dd1cf8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077dd1dcc 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077dd1dd0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077df3b8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000777e3bab 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000777e3baf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000777e9aa4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000777f3b62 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000777fccd1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007784dc76 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007784dd19 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007578f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000075792ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075ac8b7c 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075ac8e6e 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075accd35 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075acd0da 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075acd277 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075acd27b 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075acf0e6 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ad0f14 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075ad0f9f 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075ad0fa3 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ad2902 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ad35fb 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ad35ff 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ad3cbf 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ad3d76 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ad3f14 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ad3f18 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ad3f54 6 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075ad4858 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075ad492a 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075ad492e 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ad8364 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075adb7e6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075adb7ea 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075adc991 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ae06b3 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ae090f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075ae2959 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075aeeef4 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075aeef4a 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075aef422 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075aef9b0 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075af0f60 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SendInput 0000000075af195e 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075af1962 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075b09f3b 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075b115ef 6 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b2040b 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b2044f 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b26e8c 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b26eed 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b27f67 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b27f6b 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b28a7b 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b28a7f 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764158b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076415ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076417ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007641b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007641ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007641cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007641ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076444969 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077699d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000076759698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007695bae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000778d1401 2 bytes JMP 777fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000778d1419 2 bytes JMP 777fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000778d1431 2 bytes JMP 77878fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000778d144a 2 bytes CALL 777d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000778d14dd 2 bytes JMP 778788c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000778d14f5 2 bytes JMP 77878aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000778d150d 2 bytes JMP 778787ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000778d1525 2 bytes JMP 77878b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000778d153d 2 bytes JMP 777efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000778d1555 2 bytes JMP 777f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000778d156d 2 bytes JMP 77879089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000778d1585 2 bytes JMP 77878bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000778d159d 2 bytes JMP 7787877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000778d15b5 2 bytes JMP 777efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000778d15cd 2 bytes JMP 777fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000778d16b2 2 bytes JMP 77878f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000778d16bd 2 bytes JMP 77878713 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes [E8, 4F, 06] .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes JMP ffb4c4f0 .text C:\Windows\System32\svchost.exe[2248] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes JMP 1100 .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes JMP 50005c .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[1628] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes JMP 0 .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x23dd64]} .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x25db70]} .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes JMP 0 .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes JMP 0 .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes JMP 300062 .text C:\Windows\system32\wbem\WmiApSrv.exe[4736] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bf3250 6 bytes {JMP QWORD [RIP+0x844cde0]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077c1daa0 6 bytes {JMP QWORD [RIP+0x8402590]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077c1db70 6 bytes {JMP QWORD [RIP+0x8c424c0]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c1dc70 6 bytes {JMP QWORD [RIP+0x8ae23c0]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077c1dce0 6 bytes {JMP QWORD [RIP+0x8bc2350]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c1dd20 6 bytes {JMP QWORD [RIP+0x8b82310]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1ddc0 6 bytes {JMP QWORD [RIP+0x8be2270]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c1de30 6 bytes {JMP QWORD [RIP+0x89e2200]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c1de50 6 bytes {JMP QWORD [RIP+0x8b621e0]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c1de90 6 bytes {JMP QWORD [RIP+0x8a621a0]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c1dee0 6 bytes {JMP QWORD [RIP+0x8a82150]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077c1df00 6 bytes {JMP QWORD [RIP+0x8ba2130]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077c1e0f0 6 bytes {JMP QWORD [RIP+0x8c81f40]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077c1e100 6 bytes {JMP QWORD [RIP+0x89a1f30]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c1e200 6 bytes {JMP QWORD [RIP+0x8981e30]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077c1e2d0 6 bytes {JMP QWORD [RIP+0x8b01d60]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c1e310 6 bytes {JMP QWORD [RIP+0x8a01d20]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c1e380 6 bytes {JMP QWORD [RIP+0x89c1cb0]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077c1e3b0 6 bytes {JMP QWORD [RIP+0x8a41c80]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c1e410 6 bytes {JMP QWORD [RIP+0x8a21c20]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c1e420 6 bytes {JMP QWORD [RIP+0x8c01c10]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c1e430 6 bytes {JMP QWORD [RIP+0x8c61c00]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c1e7a0 6 bytes {JMP QWORD [RIP+0x8b21890]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077c1e830 6 bytes {JMP QWORD [RIP+0x8c21800]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c1f0a0 6 bytes {JMP QWORD [RIP+0x8b40f90]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c1f120 6 bytes {JMP QWORD [RIP+0x8aa0f10]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c1f1a0 6 bytes {JMP QWORD [RIP+0x8ac0e90]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779c18f0 6 bytes {JMP QWORD [RIP+0x873e740]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779cdb10 6 bytes {JMP QWORD [RIP+0x8692520]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a3f4e0 6 bytes {JMP QWORD [RIP+0x8660b50]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a3f510 6 bytes {JMP QWORD [RIP+0x86a0b20]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a3f6e0 6 bytes {JMP QWORD [RIP+0x8640950]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a454b0 6 bytes {JMP QWORD [RIP+0x867ab80]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd99b022 3 bytes CALL b03 .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9a60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff4822cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\GDI32.dll!BitBlt 000007feff4824c0 6 bytes {JMP QWORD [RIP+0x20db70]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff485bf0 6 bytes {JMP QWORD [RIP+0x22a440]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff488398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff4889bc 6 bytes {JMP QWORD [RIP+0xa7674]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\GDI32.dll!GetPixel 000007feff489320 6 bytes {JMP QWORD [RIP+0xe6d10]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff48b9e8 6 bytes {JMP QWORD [RIP+0x264648]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff48c8f0 6 bytes {JMP QWORD [RIP+0x243740]} .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff8874a0 6 bytes {JMP QWORD [RIP+0x338b90]} .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077dcfa20 3 bytes JMP 71af000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077dcfa24 2 bytes JMP 71af000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077dcfb68 3 bytes JMP 70c1000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077dcfb6c 2 bytes JMP 70c1000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077dcfcf0 3 bytes JMP 70e2000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077dcfcf4 2 bytes JMP 70e2000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077dcfda4 3 bytes JMP 70cd000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077dcfda8 2 bytes JMP 70cd000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077dcfe08 3 bytes JMP 70d3000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077dcfe0c 2 bytes JMP 70d3000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077dcff00 3 bytes JMP 70ca000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077dcff04 2 bytes JMP 70ca000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077dcffb4 3 bytes JMP 70fa000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077dcffb8 2 bytes JMP 70fa000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077dcffe4 3 bytes JMP 70d6000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077dcffe8 2 bytes JMP 70d6000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077dd0044 3 bytes JMP 70ee000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077dd0048 2 bytes JMP 70ee000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077dd00c4 3 bytes JMP 70eb000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077dd00c8 2 bytes JMP 70eb000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077dd00f4 3 bytes JMP 70d0000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077dd00f8 2 bytes JMP 70d0000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077dd03f8 3 bytes JMP 70bb000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077dd03fc 2 bytes JMP 70bb000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077dd0410 3 bytes JMP 7100000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077dd0414 2 bytes JMP 7100000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077dd0590 3 bytes JMP 7103000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077dd0594 2 bytes JMP 7103000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077dd06d4 3 bytes JMP 70df000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077dd06d8 2 bytes JMP 70df000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077dd0734 3 bytes JMP 70f7000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077dd0738 2 bytes JMP 70f7000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077dd07dc 3 bytes JMP 70fd000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077dd07e0 2 bytes JMP 70fd000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077dd0824 3 bytes JMP 70f1000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077dd0828 2 bytes JMP 70f1000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077dd08b4 3 bytes JMP 70f4000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077dd08b8 2 bytes JMP 70f4000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077dd08cc 3 bytes JMP 70c7000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077dd08d0 2 bytes JMP 70c7000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077dd08e4 3 bytes JMP 70be000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077dd08e8 2 bytes JMP 70be000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077dd0e34 3 bytes JMP 70dc000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077dd0e38 2 bytes JMP 70dc000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077dd0f18 3 bytes JMP 70c4000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077dd0f1c 2 bytes JMP 70c4000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077dd1c24 3 bytes JMP 70d9000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077dd1c28 2 bytes JMP 70d9000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077dd1cf4 3 bytes JMP 70e8000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077dd1cf8 2 bytes JMP 70e8000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077dd1dcc 3 bytes JMP 70e5000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077dd1dd0 2 bytes JMP 70e5000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077df3b8c 6 bytes JMP 71a8000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000777e3bab 3 bytes JMP 719c000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000777e3baf 2 bytes JMP 719c000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000777e9aa4 6 bytes JMP 7187000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000777f3b62 6 bytes JMP 717e000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000777fccd1 6 bytes JMP 718a000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007784dc76 6 bytes JMP 7184000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007784dd19 6 bytes JMP 7181000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007578f784 6 bytes JMP 719f000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000075792ca4 4 bytes CALL 71ac0000 .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075ac8b7c 6 bytes JMP 715d000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075ac8e6e 6 bytes JMP 7151000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075accd35 6 bytes JMP 714b000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075acd0da 6 bytes JMP 7145000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075acd277 3 bytes JMP 7112000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075acd27b 2 bytes JMP 7112000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075acf0e6 6 bytes JMP 7163000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ad0f14 6 bytes JMP 7157000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075ad0f9f 3 bytes JMP 710c000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW + 4 0000000075ad0fa3 2 bytes JMP 710c000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ad2902 6 bytes JMP 712a000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ad35fb 3 bytes JMP 711e000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ad35ff 2 bytes JMP 711e000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ad3cbf 6 bytes JMP 715a000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ad3d76 6 bytes JMP 7154000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ad3f14 3 bytes JMP 7121000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ad3f18 2 bytes JMP 7121000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ad3f54 6 bytes JMP 7109000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075ad4858 6 bytes JMP 7127000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075ad492a 3 bytes JMP 712d000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075ad492e 2 bytes JMP 712d000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ad8364 6 bytes JMP 7169000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075adb7e6 3 bytes JMP 711b000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075adb7ea 2 bytes JMP 711b000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075adc991 6 bytes JMP 7136000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ae06b3 6 bytes JMP 7166000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ae090f 6 bytes JMP 713f000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075ae2959 6 bytes JMP 7133000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075aeeef4 6 bytes JMP 714e000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075aeef4a 6 bytes JMP 7160000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075aef422 6 bytes JMP 7148000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075aef9b0 6 bytes JMP 710f000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075af0f60 6 bytes JMP 7139000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SendInput 0000000075af195e 3 bytes JMP 7130000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075af1962 2 bytes JMP 7130000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075b09f3b 6 bytes JMP 7115000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075b115ef 6 bytes JMP 7106000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b2040b 6 bytes JMP 716c000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b2044f 6 bytes JMP 716f000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b26e8c 6 bytes JMP 7142000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b26eed 6 bytes JMP 713c000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b27f67 3 bytes JMP 7118000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b27f6b 2 bytes JMP 7118000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b28a7b 3 bytes JMP 7124000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b28a7f 2 bytes JMP 7124000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764158b3 6 bytes JMP 718d000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076415ea5 6 bytes JMP 717b000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076417ba4 6 bytes JMP 7196000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007641b986 6 bytes JMP 7190000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007641ba5f 6 bytes JMP 7172000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007641cc01 6 bytes JMP 7178000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007641ea03 6 bytes JMP 7193000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076444969 6 bytes JMP 7175000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077699d0b 6 bytes JMP 7199000a .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000778d1401 2 bytes JMP 777fb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000778d1419 2 bytes JMP 777fb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000778d1431 2 bytes JMP 77878fd1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000778d144a 2 bytes CALL 777d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000778d14dd 2 bytes JMP 778788c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000778d14f5 2 bytes JMP 77878aa0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000778d150d 2 bytes JMP 778787ba C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000778d1525 2 bytes JMP 77878b8a C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000778d153d 2 bytes JMP 777efca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000778d1555 2 bytes JMP 777f68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000778d156d 2 bytes JMP 77879089 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000778d1585 2 bytes JMP 77878bea C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000778d159d 2 bytes JMP 7787877e C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000778d15b5 2 bytes JMP 777efd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000778d15cd 2 bytes JMP 777fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000778d16b2 2 bytes JMP 77878f4c C:\Windows\syswow64\kernel32.dll .text C:\Users\Pawel\Desktop\logi\GMER\u60jl4sq.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000778d16bd 2 bytes JMP 77878713 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----