GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-03-03 14:05:40 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-1CH162 rev.CC46 931,51GB Running: tem00lhg.exe; Driver: C:\Windows\TEMP\kfdiypow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077afd460 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077afd660 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077afd460 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077afd660 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\services.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL 211b00 .text C:\Windows\system32\services.exe[704] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 6440627 .text C:\Windows\system32\services.exe[704] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff9c3d60 6 bytes {JMP QWORD [RIP+0x10c2d0]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077896ee0 6 bytes {JMP QWORD [RIP+0x8ba9150]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077898164 6 bytes {JMP QWORD [RIP+0x8c87ecc]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SetParent 0000000077898500 6 bytes {JMP QWORD [RIP+0x8bc7b30]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077899bb0 6 bytes {JMP QWORD [RIP+0x8926480]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!PostMessageA 000000007789a3d8 6 bytes {JMP QWORD [RIP+0x8965c58]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!EnableWindow 000000007789aa84 6 bytes {JMP QWORD [RIP+0x8cc55ac]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!MoveWindow 000000007789aab0 6 bytes {JMP QWORD [RIP+0x8be5580]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007789c6dc 6 bytes {JMP QWORD [RIP+0x8b83954]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007789cd20 6 bytes {JMP QWORD [RIP+0x8c63310]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007789d2b4 6 bytes {JMP QWORD [RIP+0x89a2d7c]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SendMessageA 000000007789d33c 6 bytes {JMP QWORD [RIP+0x89e2cf4]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007789dc20 6 bytes {JMP QWORD [RIP+0x8ac2410]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007789f4f0 6 bytes {JMP QWORD [RIP+0x8ca0b40]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007789f864 6 bytes {JMP QWORD [RIP+0x88e07cc]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007789fab0 6 bytes {JMP QWORD [RIP+0x8a40580]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000778a0b64 6 bytes {JMP QWORD [RIP+0x89bf4cc]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000778a3380 6 bytes {JMP QWORD [RIP+0x893ccb0]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000778a4d3d 5 bytes {JMP QWORD [RIP+0x88fb2f4]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!GetKeyState 00000000778a4ff0 6 bytes {JMP QWORD [RIP+0x8b5b040]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000778a5428 6 bytes {JMP QWORD [RIP+0x8a7ac08]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SendMessageW 00000000778a6b60 6 bytes {JMP QWORD [RIP+0x89f94d0]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!PostMessageW 00000000778a7724 6 bytes {JMP QWORD [RIP+0x897890c]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000778addcc 6 bytes {JMP QWORD [RIP+0x8af2264]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!GetClipboardData 00000000778ae884 6 bytes {JMP QWORD [RIP+0x8c317ac]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000778af7a0 6 bytes {JMP QWORD [RIP+0x8bf0890]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000778b28e4 6 bytes {JMP QWORD [RIP+0x8a8d74c]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!mouse_event 00000000778b38a4 6 bytes {JMP QWORD [RIP+0x888c78c]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000778b8a10 6 bytes {JMP QWORD [RIP+0x8b27620]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000778b8bd8 6 bytes {JMP QWORD [RIP+0x8a07458]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000778b8c20 6 bytes {JMP QWORD [RIP+0x88a7410]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SendInput 00000000778b8cd0 6 bytes {JMP QWORD [RIP+0x8b07360]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!BlockInput 00000000778bad50 6 bytes {JMP QWORD [RIP+0x8c052e0]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000778e1574 6 bytes {JMP QWORD [RIP+0x8c9eabc]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!keybd_event 0000000077904650 6 bytes {JMP QWORD [RIP+0x881b9e0]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007790cccc 6 bytes {JMP QWORD [RIP+0x8a73364]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007790dfbc 6 bytes {JMP QWORD [RIP+0x89f2074]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes JMP 35 .text C:\Windows\system32\services.exe[704] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\system32\services.exe[704] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x228bc0]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes JMP fe932ba0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\system32\lsm.exe[724] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x228bc0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 6440627 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff9c3d60 6 bytes {JMP QWORD [RIP+0x10c2d0]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x228bc0]} .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077cafa80 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077cafa84 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafbc8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafbcc 2 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafd50 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafd54 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafe04 3 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafe08 2 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafe68 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafe6c 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077caff60 3 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077caff64 2 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077cb0014 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077cb0018 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077cb0044 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077cb0048 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb00a4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb00a8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0124 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0128 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb0154 3 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb0158 2 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb0458 3 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb045c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb0470 3 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb0474 2 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb05f0 3 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb05f4 2 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0734 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0738 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb0794 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb0798 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb083c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb0840 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb0884 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb0888 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0914 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0918 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb092c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0930 2 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb0944 3 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb0948 2 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0e94 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0e98 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0f78 3 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0f7c 2 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1c84 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1c88 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1d54 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1d58 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1e2c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1e30 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd3d8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075983bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075983bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075989abc 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075993b7a 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007599cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000759edcbe 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000759edd61 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007565f897 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075662e0c 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771958b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077195ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077197ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007719b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007719ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007719cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007719ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000771c4960 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077288342 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077288c0f 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000772890e3 6 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077289689 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000772897e2 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007728ee19 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007728efd9 3 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007728efdd 2 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000772912b5 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007729292f 6 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SetParent 0000000077292d74 3 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077292d78 2 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077292db4 6 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000772936a8 3 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000772936ac 2 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077293bba 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077293c71 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077296120 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007729613e 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077296c40 6 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077297613 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077297678 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000772976f0 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007729782f 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007729836c 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007729c4c6 3 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007729c4ca 2 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000772ac122 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000772ad109 6 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000772aebb6 6 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000772aec88 3 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000772aec8c 2 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SendInput 00000000772aff6a 3 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000772aff6e 2 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000772c9fdb 6 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000772d156b 6 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!mouse_event 00000000772e0343 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!keybd_event 00000000772e0387 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000772e6dc4 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000772e6e25 6 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!BlockInput 00000000772e7e9f 3 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000772e7ea3 2 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000772e89b3 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000772e89b7 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077489ccb 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f21401 2 bytes JMP 7599b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f21419 2 bytes JMP 7599b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f21431 2 bytes JMP 75a19011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f2144a 2 bytes CALL 759748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f214dd 2 bytes JMP 75a1890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f214f5 2 bytes JMP 75a18ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f2150d 2 bytes JMP 75a18800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f21525 2 bytes JMP 75a18bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f2153d 2 bytes JMP 7598fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f21555 2 bytes JMP 75996907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f2156d 2 bytes JMP 75a190c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f21585 2 bytes JMP 75a18c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f2159d 2 bytes JMP 75a187c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f215b5 2 bytes JMP 7598fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f215cd 2 bytes JMP 7599b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f216b2 2 bytes JMP 75a18f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[924] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f216bd 2 bytes JMP 75a18759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL 0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff9c3d60 6 bytes {JMP QWORD [RIP+0x10c2d0]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes JMP aba7 .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes JMP 7fe .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\system32\svchost.exe[960] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x228bc0]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes JMP 14 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL 211b00 .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 6440627 .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\System32\svchost.exe[824] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes JMP 3e80 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes JMP 84e7fc1 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes JMP 88e1df0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes JMP 19880 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes JMP 5110ed9b .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes JMP 86bd2d1 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes JMP 8289e494 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes JMP 869ab38 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL 211b00 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 6440627 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x228bc0]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 6440627 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes JMP e .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x228bc0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff9c3d60 6 bytes JMP 730072 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes JMP 2ffea60 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes JMP 95c837d5 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\SHELL32.dll!SHFileOperationW 0000000002188fe4 6 bytes {JMP QWORD [RIP+0x2a4704c]} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\SHELL32.dll!SHFileOperation 00000000023a2398 6 bytes {JMP QWORD [RIP+0xb3dc98]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 06] .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 31] .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1cdd64]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes JMP 6f2d .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x1a6d10]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x244648]} .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes JMP 6e0069 .text C:\Windows\System32\spoolsv.exe[1416] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x268bc0]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 6440627 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff9c3d60 6 bytes {JMP QWORD [RIP+0x10c2d0]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL 211b00 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 6440627 .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\system32\Dwm.exe[1628] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x228bc0]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077cafa80 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077cafa84 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafbc8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafbcc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafd50 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafd54 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafe04 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafe08 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafe68 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafe6c 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077caff60 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077caff64 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077cb0014 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077cb0018 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077cb0044 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077cb0048 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb00a4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb00a8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0124 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0128 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb0154 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb0158 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb0458 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb045c 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb0470 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb0474 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb05f0 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb05f4 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0734 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0738 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb0794 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb0798 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb083c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb0840 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb0884 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb0888 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0914 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0918 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb092c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0930 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb0944 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb0948 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0e94 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0e98 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0f78 3 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0f7c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1c84 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1c88 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1d54 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1d58 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1e2c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1e30 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd3d8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075983bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075983bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075989abc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075993b7a 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007599cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000759edcbe 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000759edd61 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007565f897 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075662e0c 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077288342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077288c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000772890e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077289689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000772897e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007728ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007728efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007728efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000772912b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007729292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SetParent 0000000077292d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077292d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077292db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000772936a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000772936ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077293bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077293c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077296120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007729613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077296c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077297613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077297678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000772976f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007729782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007729836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007729c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007729c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000772ac122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000772ad109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000772aebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000772aec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000772aec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SendInput 00000000772aff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000772aff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000772c9fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000772d156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!mouse_event 00000000772e0343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!keybd_event 00000000772e0387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000772e6dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000772e6e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!BlockInput 00000000772e7e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000772e7ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000772e89b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000772e89b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771958b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077195ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077197ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007719b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007719ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007719cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007719ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000771c4960 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c19698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e1bae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077489ccb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f21401 2 bytes JMP 7599b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f21419 2 bytes JMP 7599b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f21431 2 bytes JMP 75a19011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f2144a 2 bytes CALL 759748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f214dd 2 bytes JMP 75a1890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f214f5 2 bytes JMP 75a18ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f2150d 2 bytes JMP 75a18800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f21525 2 bytes JMP 75a18bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f2153d 2 bytes JMP 7598fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f21555 2 bytes JMP 75996907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f2156d 2 bytes JMP 75a190c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f21585 2 bytes JMP 75a18c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f2159d 2 bytes JMP 75a187c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f215b5 2 bytes JMP 7598fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f215cd 2 bytes JMP 7599b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f216b2 2 bytes JMP 75a18f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f216bd 2 bytes JMP 75a18759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL d8c00 .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 1000100 .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1736] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077cafa80 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077cafa84 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafbc8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafbcc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafd50 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafd54 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafe04 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafe08 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafe68 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafe6c 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077caff60 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077caff64 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077cb0014 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077cb0018 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077cb0044 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077cb0048 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb00a4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb00a8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0124 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0128 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb0154 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb0158 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb0458 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb045c 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb0470 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb0474 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb05f0 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb05f4 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0734 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0738 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb0794 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb0798 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb083c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb0840 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb0884 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb0888 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0914 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0918 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb092c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0930 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb0944 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb0948 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0e94 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0e98 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0f78 3 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0f7c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1c84 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1c88 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1d54 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1d58 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1e2c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1e30 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd3d8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075983bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075983bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075989abc 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075993b7a 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007599cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000759edcbe 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000759edd61 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007565f897 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075662e0c 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c19698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e1bae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771958b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077195ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077197ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007719b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007719ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007719cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007719ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000771c4960 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077288342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077288c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000772890e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077289689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000772897e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007728ee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007728efd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007728efdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000772912b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007729292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SetParent 0000000077292d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077292d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077292db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000772936a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000772936ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077293bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077293c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077296120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007729613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077296c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077297613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077297678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000772976f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007729782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007729836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007729c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007729c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000772ac122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000772ad109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000772aebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000772aec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000772aec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SendInput 00000000772aff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000772aff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000772c9fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000772d156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!mouse_event 00000000772e0343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!keybd_event 00000000772e0387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000772e6dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000772e6e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!BlockInput 00000000772e7e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000772e7ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000772e89b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000772e89b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077489ccb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f21401 2 bytes JMP 7599b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f21419 2 bytes JMP 7599b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f21431 2 bytes JMP 75a19011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f2144a 2 bytes CALL 759748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f214dd 2 bytes JMP 75a1890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f214f5 2 bytes JMP 75a18ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f2150d 2 bytes JMP 75a18800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f21525 2 bytes JMP 75a18bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f2153d 2 bytes JMP 7598fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f21555 2 bytes JMP 75996907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f2156d 2 bytes JMP 75a190c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f21585 2 bytes JMP 75a18c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f2159d 2 bytes JMP 75a187c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f215b5 2 bytes JMP 7598fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f215cd 2 bytes JMP 7599b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f216b2 2 bytes JMP 75a18f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f216bd 2 bytes JMP 75a18759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x228bc0]} .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077cafa80 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077cafa84 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafbc8 3 bytes JMP 70c1000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafbcc 2 bytes JMP 70c1000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafd50 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafd54 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafe04 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafe08 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafe68 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafe6c 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077caff60 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077caff64 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077cb0014 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077cb0018 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077cb0044 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077cb0048 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb00a4 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb00a8 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0124 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0128 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb0154 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb0158 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb0458 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb045c 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb0470 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb0474 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb05f0 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb05f4 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0734 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0738 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb0794 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb0798 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb083c 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb0840 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb0884 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb0888 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0914 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0918 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb092c 3 bytes JMP 70c7000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0930 2 bytes JMP 70c7000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb0944 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb0948 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0e94 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0e98 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0f78 3 bytes JMP 70c4000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0f7c 2 bytes JMP 70c4000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1c84 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1c88 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1d54 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1d58 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1e2c 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1e30 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd3d8c 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075983bbb 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075983bbf 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075989abc 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075993b7a 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007599cce1 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000759edcbe 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000759edd61 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007565f897 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075662e0c 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771958b3 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077195ea5 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077197ba4 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007719b986 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007719ba5f 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007719cc01 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007719ea03 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000771c4960 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077288342 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077288c0f 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000772890e3 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077289689 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000772897e2 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007728ee19 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007728efd9 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007728efdd 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000772912b5 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007729292f 6 bytes JMP 712a000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetParent 0000000077292d74 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077292d78 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077292db4 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000772936a8 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000772936ac 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077293bba 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077293c71 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077296120 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007729613e 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077296c40 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077297613 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077297678 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000772976f0 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007729782f 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007729836c 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007729c4c6 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007729c4ca 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000772ac122 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000772ad109 6 bytes JMP 7133000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000772aebb6 6 bytes JMP 7127000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000772aec88 3 bytes JMP 712d000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000772aec8c 2 bytes JMP 712d000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendInput 00000000772aff6a 3 bytes JMP 7130000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000772aff6e 2 bytes JMP 7130000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000772c9fdb 6 bytes JMP 7115000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000772d156b 6 bytes JMP 7106000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!mouse_event 00000000772e0343 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!keybd_event 00000000772e0387 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000772e6dc4 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000772e6e25 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!BlockInput 00000000772e7e9f 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000772e7ea3 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000772e89b3 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000772e89b7 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077489ccb 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f21401 2 bytes JMP 7599b233 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f21419 2 bytes JMP 7599b35e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f21431 2 bytes JMP 75a19011 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f2144a 2 bytes CALL 759748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f214dd 2 bytes JMP 75a1890a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f214f5 2 bytes JMP 75a18ae0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f2150d 2 bytes JMP 75a18800 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f21525 2 bytes JMP 75a18bca C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f2153d 2 bytes JMP 7598fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f21555 2 bytes JMP 75996907 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f2156d 2 bytes JMP 75a190c9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f21585 2 bytes JMP 75a18c2a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f2159d 2 bytes JMP 75a187c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f215b5 2 bytes JMP 7598fd59 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f215cd 2 bytes JMP 7599b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f216b2 2 bytes JMP 75a18f8c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\SecUPDUtilSvc.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f216bd 2 bytes JMP 75a18759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 6440627 .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\system32\svchost.exe[2356] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x228bc0]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 06] .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 31] .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes JMP 147cf344 .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes JMP 410035 .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes JMP 2bc5 .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes JMP 452 .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefeaa8fe4 6 bytes {JMP QWORD [RIP+0x104704c]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefecc2398 6 bytes {JMP QWORD [RIP+0xe0dc98]} .text C:\Windows\Explorer.EXE[2436] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x268bc0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 2D] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x248bc0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x20a440]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x187c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes JMP 22b0cfa .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes JMP ff9eff92 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 06] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x12bdd64]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x131db70]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x133a440]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x1374648]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x1353740]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2948] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x268bc0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 06] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2160] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x228bc0]} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL 211b00 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 6440627 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes JMP 0 .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL 211b00 .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 0 .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\system32\WUDFHost.exe[2564] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x268bc0]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL 211b00 .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\SearchIndexer.exe[3960] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x228bc0]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077cafa80 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077cafa84 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafbc8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafbcc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafd50 3 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafd54 2 bytes JMP 70d6000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafe04 3 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafe08 2 bytes JMP 70c1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafe68 3 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafe6c 2 bytes JMP 70c7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077caff60 3 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077caff64 2 bytes JMP 70be000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077cb0014 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077cb0018 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077cb0044 3 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077cb0048 2 bytes JMP 70ca000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb00a4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb00a8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0124 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0128 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb0154 3 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb0158 2 bytes JMP 70c4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb0458 3 bytes JMP 70af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb045c 2 bytes JMP 70af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb0470 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb0474 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb05f0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb05f4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0734 3 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0738 2 bytes JMP 70d3000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb0794 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb0798 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb083c 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb0840 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb0884 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb0888 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0914 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0918 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb092c 3 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0930 2 bytes JMP 70bb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb0944 3 bytes JMP 70b2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb0948 2 bytes JMP 70b2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0e94 3 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0e98 2 bytes JMP 70d0000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0f78 3 bytes JMP 70b8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0f7c 2 bytes JMP 70b8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1c84 3 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1c88 2 bytes JMP 70cd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1d54 3 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1d58 2 bytes JMP 70dc000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1e2c 3 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1e30 2 bytes JMP 70d9000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd3d8c 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075983bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075983bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075989abc 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075993b7a 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007599cce1 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000759edcbe 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000759edd61 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007565f897 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075662e0c 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f21401 2 bytes JMP 7599b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f21419 2 bytes JMP 7599b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f21431 2 bytes JMP 75a19011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f2144a 2 bytes CALL 759748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f214dd 2 bytes JMP 75a1890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f214f5 2 bytes JMP 75a18ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f2150d 2 bytes JMP 75a18800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f21525 2 bytes JMP 75a18bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f2153d 2 bytes JMP 7598fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f21555 2 bytes JMP 75996907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f2156d 2 bytes JMP 75a190c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f21585 2 bytes JMP 75a18c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f2159d 2 bytes JMP 75a187c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f215b5 2 bytes JMP 7598fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f215cd 2 bytes JMP 7599b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f216b2 2 bytes JMP 75a18f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f216bd 2 bytes JMP 75a18759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077489ccb 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771958b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077195ea5 6 bytes JMP 7173000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077197ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007719b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007719ba5f 6 bytes JMP 716a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007719cc01 6 bytes JMP 7170000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007719ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000771c4960 6 bytes JMP 716d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077288342 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077288c0f 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000772890e3 6 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077289689 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000772897e2 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007728ee19 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007728efd9 3 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007728efdd 2 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000772912b5 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007729292f 6 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SetParent 0000000077292d74 3 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077292d78 2 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077292db4 6 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000772936a8 3 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000772936ac 2 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077293bba 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077293c71 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077296120 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007729613e 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077296c40 6 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077297613 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077297678 6 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000772976f0 6 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007729782f 6 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007729836c 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007729c4c6 3 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007729c4ca 2 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000772ac122 6 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000772ad109 6 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000772aebb6 6 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000772aec88 3 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000772aec8c 2 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SendInput 00000000772aff6a 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000772aff6e 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000772c9fdb 6 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000772d156b 6 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!mouse_event 00000000772e0343 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!keybd_event 00000000772e0387 6 bytes JMP 7167000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000772e6dc4 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000772e6e25 6 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!BlockInput 00000000772e7e9f 3 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000772e7ea3 2 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000772e89b3 3 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000772e89b7 2 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075c19698 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3228] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075e1bae9 6 bytes JMP 717b000a .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 06] .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\system32\AUDIODG.EXE[2896] C:\Windows\System32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x228bc0]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 2D] .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 33] .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\system32\nvvsvc.exe[5056] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x278bc0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 06] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 0A] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes JMP 9b9 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes JMP 61006c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes [67, 6D, 2D] .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes [FF, 25, 40, C9, 33] .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes {JMP QWORD [RIP+0x1ddb70]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes {JMP QWORD [RIP+0x196d10]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\system32\nvvsvc.exe[3108] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x278bc0]} .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077cafa80 3 bytes JMP 71af000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077cafa84 2 bytes JMP 71af000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafbc8 3 bytes JMP 70c1000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafbcc 2 bytes JMP 70c1000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafd50 3 bytes JMP 70e2000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafd54 2 bytes JMP 70e2000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafe04 3 bytes JMP 70cd000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafe08 2 bytes JMP 70cd000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafe68 3 bytes JMP 70d3000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafe6c 2 bytes JMP 70d3000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077caff60 3 bytes JMP 70ca000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077caff64 2 bytes JMP 70ca000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077cb0014 3 bytes JMP 70fa000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077cb0018 2 bytes JMP 70fa000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077cb0044 3 bytes JMP 70d6000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077cb0048 2 bytes JMP 70d6000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb00a4 3 bytes JMP 70ee000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb00a8 2 bytes JMP 70ee000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0124 3 bytes JMP 70eb000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0128 2 bytes JMP 70eb000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb0154 3 bytes JMP 70d0000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb0158 2 bytes JMP 70d0000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb0458 3 bytes JMP 70bb000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb045c 2 bytes JMP 70bb000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb0470 3 bytes JMP 7100000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb0474 2 bytes JMP 7100000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb05f0 3 bytes JMP 7103000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb05f4 2 bytes JMP 7103000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0734 3 bytes JMP 70df000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0738 2 bytes JMP 70df000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb0794 3 bytes JMP 70f7000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb0798 2 bytes JMP 70f7000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb083c 3 bytes JMP 70fd000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb0840 2 bytes JMP 70fd000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb0884 3 bytes JMP 70f1000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb0888 2 bytes JMP 70f1000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0914 3 bytes JMP 70f4000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0918 2 bytes JMP 70f4000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb092c 3 bytes JMP 70c7000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0930 2 bytes JMP 70c7000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb0944 3 bytes JMP 70be000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb0948 2 bytes JMP 70be000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0e94 3 bytes JMP 70dc000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0e98 2 bytes JMP 70dc000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0f78 3 bytes JMP 70c4000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0f7c 2 bytes JMP 70c4000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1c84 3 bytes JMP 70d9000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1c88 2 bytes JMP 70d9000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1d54 3 bytes JMP 70e8000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1d58 2 bytes JMP 70e8000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1e2c 3 bytes JMP 70e5000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1e30 2 bytes JMP 70e5000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd3d8c 6 bytes JMP 71a8000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075983bbb 3 bytes JMP 719c000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000075983bbf 2 bytes JMP 719c000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075989abc 6 bytes JMP 7187000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000075993b7a 6 bytes JMP 717e000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007599cce1 6 bytes JMP 718a000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 00000000759edcbe 6 bytes JMP 7184000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 00000000759edd61 6 bytes JMP 7181000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007565f897 6 bytes JMP 719f000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 575 0000000075662e0c 4 bytes CALL 71ac0000 .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077288342 6 bytes JMP 715d000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000077288c0f 6 bytes JMP 7151000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000772890e3 6 bytes JMP 710c000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000077289689 6 bytes JMP 714b000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000772897e2 6 bytes JMP 7145000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007728ee19 6 bytes JMP 7163000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007728efd9 3 bytes JMP 7112000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007728efdd 2 bytes JMP 7112000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000772912b5 6 bytes JMP 7157000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007729292f 6 bytes JMP 712a000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SetParent 0000000077292d74 3 bytes JMP 7121000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000077292d78 2 bytes JMP 7121000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077292db4 6 bytes JMP 7109000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000772936a8 3 bytes JMP 711e000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000772936ac 2 bytes JMP 711e000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000077293bba 6 bytes JMP 715a000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000077293c71 6 bytes JMP 7154000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000077296120 6 bytes JMP 7160000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007729613e 6 bytes JMP 714e000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000077296c40 6 bytes JMP 710f000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077297613 6 bytes JMP 7166000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000077297678 6 bytes JMP 7139000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000772976f0 6 bytes JMP 713f000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007729782f 6 bytes JMP 7148000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007729836c 6 bytes JMP 7169000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007729c4c6 3 bytes JMP 711b000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007729c4ca 2 bytes JMP 711b000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000772ac122 6 bytes JMP 7136000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000772ad109 6 bytes JMP 7133000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000772aebb6 6 bytes JMP 7127000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000772aec88 3 bytes JMP 712d000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000772aec8c 2 bytes JMP 712d000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SendInput 00000000772aff6a 3 bytes JMP 7130000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000772aff6e 2 bytes JMP 7130000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000772c9fdb 6 bytes JMP 7115000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000772d156b 6 bytes JMP 7106000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!mouse_event 00000000772e0343 6 bytes JMP 716c000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!keybd_event 00000000772e0387 6 bytes JMP 716f000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000772e6dc4 6 bytes JMP 7142000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000772e6e25 6 bytes JMP 713c000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!BlockInput 00000000772e7e9f 3 bytes JMP 7118000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000772e7ea3 2 bytes JMP 7118000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000772e89b3 3 bytes JMP 7124000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000772e89b7 2 bytes JMP 7124000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771958b3 6 bytes JMP 718d000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077195ea5 6 bytes JMP 717b000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000077197ba4 6 bytes JMP 7196000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007719b986 6 bytes JMP 7190000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007719ba5f 6 bytes JMP 7172000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007719cc01 6 bytes JMP 7178000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007719ea03 6 bytes JMP 7193000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000771c4960 6 bytes JMP 7175000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077489ccb 6 bytes JMP 7199000a .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f21401 2 bytes JMP 7599b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f21419 2 bytes JMP 7599b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f21431 2 bytes JMP 75a19011 C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f2144a 2 bytes CALL 759748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f214dd 2 bytes JMP 75a1890a C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f214f5 2 bytes JMP 75a18ae0 C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f2150d 2 bytes JMP 75a18800 C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f21525 2 bytes JMP 75a18bca C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f2153d 2 bytes JMP 7598fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f21555 2 bytes JMP 75996907 C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f2156d 2 bytes JMP 75a190c9 C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f21585 2 bytes JMP 75a18c2a C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f2159d 2 bytes JMP 75a187c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f215b5 2 bytes JMP 7598fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f215cd 2 bytes JMP 7599b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f216b2 2 bytes JMP 75a18f8c C:\Windows\syswow64\kernel32.dll .text C:\Users\suzaku18\Desktop\tem00lhg.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f216bd 2 bytes JMP 75a18759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad2dc0 6 bytes {JMP QWORD [RIP+0x856d270]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077afd4a0 6 bytes {JMP QWORD [RIP+0x8522b90]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077afd570 6 bytes {JMP QWORD [RIP+0x8d62ac0]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077afd670 6 bytes {JMP QWORD [RIP+0x8c029c0]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077afd6e0 6 bytes {JMP QWORD [RIP+0x8ce2950]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077afd720 6 bytes {JMP QWORD [RIP+0x8ca2910]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077afd7c0 6 bytes {JMP QWORD [RIP+0x8d02870]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077afd830 6 bytes {JMP QWORD [RIP+0x8b02800]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077afd850 6 bytes {JMP QWORD [RIP+0x8c827e0]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077afd890 6 bytes {JMP QWORD [RIP+0x8b827a0]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077afd8e0 6 bytes {JMP QWORD [RIP+0x8ba2750]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077afd900 6 bytes {JMP QWORD [RIP+0x8cc2730]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077afdaf0 6 bytes {JMP QWORD [RIP+0x8da2540]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077afdb00 6 bytes {JMP QWORD [RIP+0x8ac2530]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077afdc00 6 bytes {JMP QWORD [RIP+0x8aa2430]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077afdcd0 6 bytes {JMP QWORD [RIP+0x8c22360]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077afdd10 6 bytes {JMP QWORD [RIP+0x8b22320]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077afdd80 6 bytes {JMP QWORD [RIP+0x8ae22b0]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077afddb0 6 bytes {JMP QWORD [RIP+0x8b62280]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077afde10 6 bytes {JMP QWORD [RIP+0x8b42220]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077afde20 6 bytes {JMP QWORD [RIP+0x8d22210]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077afde30 6 bytes {JMP QWORD [RIP+0x8d82200]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077afe1a0 6 bytes {JMP QWORD [RIP+0x8c41e90]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077afe230 6 bytes {JMP QWORD [RIP+0x8d41e00]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077afeaa0 6 bytes {JMP QWORD [RIP+0x8c61590]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077afeb20 6 bytes {JMP QWORD [RIP+0x8bc1510]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077afeba0 6 bytes {JMP QWORD [RIP+0x8be1490]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000779a1890 6 bytes {JMP QWORD [RIP+0x875e7a0]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000779adb80 6 bytes {JMP QWORD [RIP+0x86b24b0]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000077a1f540 6 bytes {JMP QWORD [RIP+0x8680af0]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000077a1f570 6 bytes {JMP QWORD [RIP+0x86c0ac0]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000077a1f740 6 bytes {JMP QWORD [RIP+0x86608f0]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077a25510 6 bytes {JMP QWORD [RIP+0x869ab20]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 355 000007fefdb292a3 3 bytes CALL 211b00 .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdb336f0 5 bytes JMP 6440627 .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe8022cc 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\GDI32.dll!BitBlt 000007fefe8024c0 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefe805bf0 6 bytes {JMP QWORD [RIP+0x1fa440]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe808398 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe8089bc 6 bytes {JMP QWORD [RIP+0x157674]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe809320 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefe80b9e8 6 bytes {JMP QWORD [RIP+0x234648]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefe80c8f0 6 bytes {JMP QWORD [RIP+0x213740]} .text C:\Windows\system32\taskeng.exe[2732] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc17470 6 bytes {JMP QWORD [RIP+0x228bc0]} ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88000e68e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88000e68c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88000e69654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88000e69a50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88000e698ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef75d741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef75d5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef75d5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef75d5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef75d7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef75d6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef75d6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef75d7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef75d7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef75d78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef75d4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef75d5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2540] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef75d7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8006b632c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8006b632c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8006b632c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa8006b632c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-5 fffffa8006b632c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa8006b632c0 Device \FileSystem\Ntfs \Ntfs fffffa8006b672c0 Device \FileSystem\fastfat \Fat fffffa80080702c0 Device \Driver\USBSTOR \Device\0000006a fffffa8008a8c2c0 Device \Driver\USBSTOR \Device\0000007a fffffa8008a8c2c0 Device \Driver\usbehci \Device\USBPDO-5 fffffa80085f12c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa80085df2c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa80085df2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{37AEB4E3-9284-42FA-AA89-7BAAE6DE565F} fffffa80081b52c0 Device \Driver\cdrom \Device\CdRom0 fffffa8007c5f2c0 Device \Driver\USBSTOR \Device\0000007b fffffa8008a8c2c0 Device \Driver\USBSTOR \Device\00000079 fffffa8008a8c2c0 Device \Driver\usbohci \Device\USBPDO-6 fffffa80085df2c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa80085df2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80085df2c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa80085f12c0 Device \Driver\USBSTOR \Device\0000007c fffffa8008a8c2c0 Device \Driver\usbehci \Device\USBFDO-5 fffffa80085f12c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa80085df2c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa80085df2c0 Device \Driver\USBSTOR \Device\0000006d fffffa8008a8c2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80081b52c0 Device \Driver\usbohci \Device\USBFDO-6 fffffa80085df2c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa80085df2c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa80085f12c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8006b632c0 Device \Driver\USBSTOR \Device\00000073 fffffa8008a8c2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80085df2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8006b632c0 Device \Driver\atapi \Device\ScsiPort2 fffffa8006b632c0 Device \Driver\atapi \Device\ScsiPort3 fffffa8006b632c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8006b632c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa8006b632c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007c40060] fffffa8007c40060 Trace 3 CLASSPNP.SYS[fffff8800196e43f] -> nt!IofCallDriver -> [0xfffffa8006c81670] fffffa8006c81670 Trace 5 ACPI.sys[fffff88000f927a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8006c9f060] fffffa8006c9f060 Trace \Driver\atapi[0xfffffa8006c80060] -> IRP_MJ_CREATE -> 0xfffffa8006b632c0 fffffa8006b632c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD5 0x0E 0x13 0x29 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD5 0x0E 0x13 0x29 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----