GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-05 20:32:27 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 OCZ-AGIL rev.2.15 111,79GB Running: 26xt1v06.exe; Driver: C:\Users\Ja\AppData\Local\Temp\fxlcyaoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ddbbe0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ddbde0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ddbbe0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ddbde0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\services.exe[832] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefece2930 6 bytes {JMP QWORD [RIP+0x10d700]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076c96ee0 6 bytes {JMP QWORD [RIP+0x97a9150]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076c98164 6 bytes {JMP QWORD [RIP+0x9887ecc]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SetParent 0000000076c98500 6 bytes {JMP QWORD [RIP+0x97c7b30]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076c99bb0 6 bytes {JMP QWORD [RIP+0x9526480]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!PostMessageA 0000000076c9a3d8 6 bytes {JMP QWORD [RIP+0x9565c58]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!EnableWindow 0000000076c9aa84 6 bytes {JMP QWORD [RIP+0x98c55ac]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!MoveWindow 0000000076c9aab0 6 bytes {JMP QWORD [RIP+0x97e5580]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076c9c6dc 6 bytes {JMP QWORD [RIP+0x9783954]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076c9cd20 6 bytes {JMP QWORD [RIP+0x9863310]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076c9d2b4 6 bytes {JMP QWORD [RIP+0x95a2d7c]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SendMessageA 0000000076c9d33c 6 bytes {JMP QWORD [RIP+0x95e2cf4]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076c9dc20 6 bytes {JMP QWORD [RIP+0x96c2410]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076c9f4f0 6 bytes {JMP QWORD [RIP+0x98a0b40]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076c9f864 6 bytes {JMP QWORD [RIP+0x94e07cc]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076c9fab0 6 bytes {JMP QWORD [RIP+0x9640580]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ca0b64 6 bytes {JMP QWORD [RIP+0x95bf4cc]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ca3380 6 bytes {JMP QWORD [RIP+0x953ccb0]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ca4d3d 5 bytes {JMP QWORD [RIP+0x94fb2f4]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ca4ff0 6 bytes {JMP QWORD [RIP+0x975b040]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ca5428 6 bytes {JMP QWORD [RIP+0x967ac08]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ca6b60 6 bytes {JMP QWORD [RIP+0x95f94d0]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ca7724 6 bytes {JMP QWORD [RIP+0x957890c]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076caddcc 6 bytes {JMP QWORD [RIP+0x96f2264]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076cae884 6 bytes {JMP QWORD [RIP+0x98317ac]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076caf7a0 6 bytes {JMP QWORD [RIP+0x97f0890]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076cb28e4 6 bytes {JMP QWORD [RIP+0x968d74c]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!mouse_event 0000000076cb38a4 6 bytes {JMP QWORD [RIP+0x948c78c]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076cb8a10 6 bytes {JMP QWORD [RIP+0x9727620]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076cb8bd8 6 bytes {JMP QWORD [RIP+0x9607458]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076cb8c20 6 bytes {JMP QWORD [RIP+0x94a7410]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SendInput 0000000076cb8cd0 6 bytes {JMP QWORD [RIP+0x9707360]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!BlockInput 0000000076cbad50 6 bytes {JMP QWORD [RIP+0x98052e0]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076ce1574 6 bytes {JMP QWORD [RIP+0x989eabc]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!keybd_event 0000000076d04650 6 bytes {JMP QWORD [RIP+0x941b9e0]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076d0cccc 6 bytes {JMP QWORD [RIP+0x9673364]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076d0dfbc 6 bytes {JMP QWORD [RIP+0x95f2074]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\services.exe[832] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes JMP 158d4800 .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes JMP 2db44 .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\lsass.exe[856] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes JMP 87fb .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[868] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefece2930 6 bytes {JMP QWORD [RIP+0x10d700]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefece2930 6 bytes {JMP QWORD [RIP+0x10d700]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 0 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes JMP 4e0044 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes JMP 8fa9 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 27000000 .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\System32\svchost.exe[436] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes JMP 12000013 .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\System32\svchost.exe[584] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefece2930 6 bytes {JMP QWORD [RIP+0x10d700]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 19cadfb0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefd8f8fe4 5 bytes JMP 80004003 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefdb12398 6 bytes {JMP QWORD [RIP+0xbbdc98]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes JMP 4e0044 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes JMP 8fa9 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes JMP b0a0a0a .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes JMP 13020202 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes JMP 14111111 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes JMP 100f0f0f .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes JMP 3030303 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes JMP d0d0d0d .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes JMP 16161616 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes JMP c000000 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes JMP 9000000 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes JMP 14141414 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes JMP 14141414 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes JMP 8080808 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes JMP e010101 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes JMP 1000101 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes JMP 1 .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes JMP fad485a0 .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0C] .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes JMP 450056 .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x1264628]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefd8f8fe4 5 bytes [FF, 25, 4C, 70, D7] .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefdb12398 6 bytes {JMP QWORD [RIP+0xb3dc98]} .text C:\Windows\Explorer.EXE[1460] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefece2930 6 bytes {JMP QWORD [RIP+0x10d700]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 2445350 .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\WLANExt.exe[1792] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 145 .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\conhost.exe[1804] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x494628]} .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1916] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes JMP 4e0044 .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes JMP 8fa9 .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 76caa2f8 C:\Windows\system32\USER32.dll .text C:\Windows\system32\taskhost.exe[1948] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 0 .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075459cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes JMP 12000013 .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\taskeng.exe[1452] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70c7000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70c7000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70c4000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70c4000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70b5000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70b5000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c1000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c1000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70b8000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70b8000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7106000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 710c000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 710c000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 7124000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7103000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7133000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 7115000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 7115000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7130000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 712d000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7121000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7127000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7127000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 712a000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 712a000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7100000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075459cbb 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\AstSrv.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70c1000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70c1000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70e2000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70e2000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70cd000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70cd000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70d3000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70d3000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70ca000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70ca000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70fa000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70fa000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d6000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d6000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70ee000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70ee000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70eb000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70eb000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70d0000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70d0000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70bb000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70bb000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 7100000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 7100000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 7103000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 7103000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70df000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70df000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f7000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f7000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70fd000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70fd000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70f1000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70f1000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70f4000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70f4000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c7000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c7000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70be000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70be000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70dc000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70dc000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70c4000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70c4000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d9000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d9000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e8000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e8000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70e5000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70e5000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 715d000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 7151000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 710c000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 714b000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 7145000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 7163000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 7112000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 7112000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7157000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 712a000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 7121000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 7121000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7109000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 711e000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 711e000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 715a000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 7154000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 7160000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 714e000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 710f000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7166000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7139000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 713f000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7148000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7169000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 711b000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 711b000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7136000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 7133000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7127000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 712d000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 712d000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 7130000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 7130000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 7115000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7106000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 716c000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 716f000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 7142000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 713c000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7118000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7118000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 7124000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 7124000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 717b000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 7172000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7178000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 7175000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\KERNEL32.dll .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\shell32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 70b5000a .text C:\ProgramData\Logic Handler\set.exe[1636] C:\Windows\syswow64\shell32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 70b8000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70ba000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70ba000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70b4000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70b4000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c0000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c0000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70b7000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70b7000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70bd000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70bd000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 716f000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7157000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 7145000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 715a000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7160000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7133000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 7166000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 7169000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\SHELL32.DLL!SHFileOperationW 00000000755c9698 6 bytes JMP 7178000a .text C:\Program Files (x86)\BitX\bitxsvc.exe[2060] C:\Windows\syswow64\SHELL32.DLL!SHFileOperation 00000000757cbae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70ba000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70ba000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70b4000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70b4000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c0000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c0000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70b7000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70b7000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70bd000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70bd000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 716f000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075459cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0C] .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x1264628]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 699 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2156] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70be000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70be000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 716f000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70b4000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70b4000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70c0000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70c0000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70bd000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70bd000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70ae000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70ae000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70ba000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70ba000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70b1000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70b1000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70b7000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70b7000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 716f000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075459cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70b1000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70b1000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70d6000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70d6000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70bd000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70bd000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70c4000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70ba000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70ba000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e2000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e2000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70df000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70df000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70c0000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70c0000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70ab000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70ab000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70eb000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70eb000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70b7000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70b7000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70ae000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70ae000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70cd000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70cd000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70b4000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70b4000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70d9000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70d9000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075459cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 716f000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7157000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 7145000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 715a000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7160000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7133000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 7166000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 7169000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 7178000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70c1000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70c1000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70e2000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70e2000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70cd000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70cd000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70d3000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70d3000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70ca000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70ca000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70fa000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70fa000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d6000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d6000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70ee000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70ee000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70eb000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70eb000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70d0000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70d0000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70bb000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70bb000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 7100000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 7100000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 7103000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 7103000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70df000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70df000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f7000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f7000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70fd000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70fd000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70f1000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70f1000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70f4000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70f4000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c7000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c7000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70be000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70be000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70dc000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70dc000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70c4000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70c4000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d9000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d9000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e8000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e8000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70e5000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70e5000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 715d000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 7151000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 710c000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 714b000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 7145000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 7163000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 7112000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 7112000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7157000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 712a000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 7121000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 7121000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7109000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 711e000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 711e000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 715a000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 7154000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 7160000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 714e000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 710f000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7166000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7139000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 713f000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7148000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7169000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 711b000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 711b000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7136000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 7133000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7127000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 712d000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 712d000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 7130000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 7130000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 7115000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7106000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 716c000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 716f000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 7142000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 713c000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7118000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7118000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 7124000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 7124000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 717b000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 7172000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7178000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 7175000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\shell32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 70b5000a .text C:\Users\Ja\AppData\Local\Apps\2.0\abril.exe[2284] C:\Windows\syswow64\shell32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 70b8000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 7090000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 7090000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes [CC, 70] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 709c000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 709c000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70a2000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70a2000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes [98, 70] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70e8000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70e8000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70a5000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70a5000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes [DB, 70] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70d9000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70d9000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 709f000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 709f000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 708a000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 708a000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70f7000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70f7000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes [C9, 70] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes [E4, 70] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70eb000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70eb000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes [DE, 70] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70e2000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70e2000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes [95, 70] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 708d000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 708d000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes [C6, 70] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes [92, 70] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes [C3, 70] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes [D5, 70] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes [CF, 70] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075459cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 716f000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7151000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 7145000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7100000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 713f000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 7139000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 7157000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes [05, 71] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 714b000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 711e000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes [14, 71] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes {JMP QWORD [RIP+0x70fc001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7112000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7112000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes {JMP QWORD [RIP+0x7102001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 715a000a .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes [0E, 71] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes [20, 71] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes [23, 71] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes {JMP QWORD [RIP+0x70f9001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes [0B, 71] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes [17, 71] .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000755c9698 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray.exe[2360] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000757cbae9 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\svchost.exe[2388] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70b2000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70b2000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70be000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70be000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 716f000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075459cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\taskeng.exe[2544] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes JMP 0 .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes JMP 0 .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes JMP 0 .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Program Files (x86)\MPC Cleaner\MPCTray64.exe[2760] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\svchost.exe[2992] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0C] .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x1264628]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 699 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3948] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0C] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x1264628]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 699 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3960] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0C] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP f2f0a170 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x1264628]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3976] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 699 .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 699 .text C:\Windows\System32\hkcmd.exe[3992] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0C] .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x1264628]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Program Files\Elantech\ETDCtrl.exe[4012] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 73005c .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70bb000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70bb000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70dc000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70dc000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70c7000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70c7000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70cd000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70cd000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70c4000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70c4000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70f4000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70f4000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d0000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d0000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e8000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e8000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70e5000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70e5000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70ca000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70ca000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70b5000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70b5000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70fa000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70fa000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70fd000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70fd000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d9000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d9000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f1000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f1000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f7000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f7000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70eb000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70eb000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70ee000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70ee000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c1000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c1000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70b8000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70b8000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70d6000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70d6000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70be000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70be000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d3000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d3000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e2000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e2000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70df000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70df000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 7178000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 717b000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 7175000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 716c000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7172000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 716f000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7157000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 714b000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7106000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 7145000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 713f000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 715d000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 710c000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 710c000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7151000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 7124000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 711b000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 711b000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7103000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7118000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7118000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 7154000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 714e000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 715a000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 7148000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7109000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7160000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7133000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7139000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7142000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7163000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 7115000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 7115000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7130000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 712d000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7121000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7127000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7127000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 712a000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 712a000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 710f000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7100000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 7166000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 7169000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 713c000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7136000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7112000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7112000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 711e000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 711e000a .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\AppData\Local\Microsoft\OneDrive\OneDrive.exe[1492] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 0 .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 699 .text C:\Windows\system32\igfxsrvc.exe[3280] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70a1000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70a1000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 709b000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 709b000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70a7000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70a7000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 709e000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 709e000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70a4000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70a4000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 716f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075459cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 400eaef0 .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 699 .text C:\Windows\system32\igfxext.exe[4116] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes JMP 0 .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes JMP 0 .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\wbem\unsecapp.exe[4280] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP df0 .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\wbem\wmiprvse.exe[4464] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4636] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 699 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4880] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 7100000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 7100000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 7103000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 7103000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70be000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70be000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 715d000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 7151000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 714b000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 7163000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 7121000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 7121000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 711e000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 711e000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 715a000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 7154000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 7160000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 710f000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7166000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7139000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 711b000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7136000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 7133000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7127000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 712d000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 7115000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7106000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 716c000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 716f000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 7142000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 713c000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7118000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7118000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 7124000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 7124000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 7175000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\shell32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 70b5000a .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[4960] C:\Windows\syswow64\shell32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 70b8000a .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\conhost.exe[4972] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4588] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4588] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4588] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4588] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4588] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4588] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4588] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\svchost.exe[5192] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70c1000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70c1000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c7000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c7000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70c4000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70c4000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 712a000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 7133000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7127000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 712d000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 712d000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 7130000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 7130000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 7115000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7106000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 70b5000a .text C:\Windows\SysWOW64\cmd.exe[5708] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 70b8000a .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\conhost.exe[5744] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 7100000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 7100000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 7103000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 7103000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70be000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70be000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 715d000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 7151000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 714b000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 7163000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 7121000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 7121000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 711e000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 711e000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 715a000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 7154000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 7160000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 710f000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7166000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7139000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 711b000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7136000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 7133000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7127000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 712d000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 7115000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7106000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 716c000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 716f000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 7142000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 713c000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7118000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7118000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 7124000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 7124000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 7175000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\shell32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 70b5000a .text C:\Program Files (x86)\Connectify\Connectify.exe[5696] C:\Windows\syswow64\shell32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\KERNEL32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\KERNEL32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\shell32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5800] C:\Windows\syswow64\shell32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075459cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5032] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70b2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70b2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70be000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075459cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes JMP 2660355 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ddbdb0 14 bytes {MOV RAX, 0x7fef60030f0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes JMP 4e0024 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes JMP 28402fa .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes JMP 6c006b .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076c96ee0 6 bytes {JMP QWORD [RIP+0x97a9150]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076c98164 6 bytes {JMP QWORD [RIP+0x9887ecc]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SetParent 0000000076c98500 6 bytes {JMP QWORD [RIP+0x97c7b30]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000076c99bb0 6 bytes {JMP QWORD [RIP+0x9526480]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!PostMessageA 0000000076c9a3d8 6 bytes JMP 19d019c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!EnableWindow 0000000076c9aa84 6 bytes {JMP QWORD [RIP+0x98c55ac]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!MoveWindow 0000000076c9aab0 6 bytes {JMP QWORD [RIP+0x97e5580]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076c9c6dc 6 bytes {JMP QWORD [RIP+0x9783954]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076c9cd20 6 bytes {JMP QWORD [RIP+0x9863310]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076c9d2b4 6 bytes {JMP QWORD [RIP+0x95a2d7c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SendMessageA 0000000076c9d33c 6 bytes {JMP QWORD [RIP+0x95e2cf4]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076c9dc20 6 bytes {JMP QWORD [RIP+0x96c2410]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076c9f4f0 6 bytes {JMP QWORD [RIP+0x98a0b40]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076c9f864 6 bytes {JMP QWORD [RIP+0x94e07cc]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076c9fab0 6 bytes {JMP QWORD [RIP+0x9640580]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ca0b64 6 bytes {JMP QWORD [RIP+0x95bf4cc]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SetWindowLongW 0000000076ca3380 6 bytes JMP ffffff9a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ca4d3d 5 bytes {JMP QWORD [RIP+0x94fb2f4]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ca4ff0 6 bytes {JMP QWORD [RIP+0x975b040]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ca5428 6 bytes {JMP QWORD [RIP+0x967ac08]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ca6b60 6 bytes {JMP QWORD [RIP+0x95f94d0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ca7724 6 bytes {JMP QWORD [RIP+0x957890c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076caddcc 6 bytes {JMP QWORD [RIP+0x96f2264]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076cae884 6 bytes {JMP QWORD [RIP+0x98317ac]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076caf7a0 6 bytes {JMP QWORD [RIP+0x97f0890]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076cb28e4 6 bytes {JMP QWORD [RIP+0x968d74c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!mouse_event 0000000076cb38a4 6 bytes JMP 2d4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076cb8a10 6 bytes {JMP QWORD [RIP+0x9727620]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076cb8bd8 6 bytes {JMP QWORD [RIP+0x9607458]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076cb8c20 6 bytes {JMP QWORD [RIP+0x94a7410]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SendInput 0000000076cb8cd0 6 bytes {JMP QWORD [RIP+0x9707360]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!BlockInput 0000000076cbad50 6 bytes {JMP QWORD [RIP+0x98052e0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076ce1574 6 bytes {JMP QWORD [RIP+0x989eabc]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!keybd_event 0000000076d04650 6 bytes {JMP QWORD [RIP+0x941b9e0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076d0cccc 6 bytes {JMP QWORD [RIP+0x9673364]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076d0dfbc 6 bytes {JMP QWORD [RIP+0x95f2074]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes JMP 58d358d2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes JMP 16161615 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe6413b0 5 bytes JMP 000007fef58acda0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe642200 5 bytes JMP 000007fef58ad280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\WS2_32.dll!send 000007fefe648000 5 bytes JMP 000007fef58ad030 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\WS2_32.dll!recv 000007fefe64df40 5 bytes JMP 000007fef58ad860 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefd8f8fe4 5 bytes [FF, 25, 4C, 70, DD] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1088] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefdb12398 6 bytes {JMP QWORD [RIP+0xb9dc98]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5748] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ddbcb0 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 8 bytes JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 8 bytes JMP 000000006fff00d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 270064 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe6413b0 5 bytes JMP 000007fef58acda0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe642200 5 bytes JMP 000007fef58ad280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\WS2_32.dll!send 000007fefe648000 5 bytes JMP 000007fef58ad030 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7140] C:\Windows\system32\WS2_32.dll!recv 000007fefe64df40 5 bytes JMP 000007fef58ad860 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076ddbc00 7 bytes [48, B8, 28, C3, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000076ddbc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a44340]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076ddbd70 7 bytes [48, B8, 80, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 0000000076ddbd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ddbd90 7 bytes [48, B8, FC, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076ddbd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076ddbda0 7 bytes [48, B8, FC, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000076ddbda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ddbdb0 7 bytes [48, B8, 08, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076ddbdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076ddbdd0 7 bytes [48, B8, 4C, C3, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076ddbdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076ddbe20 7 bytes [48, B8, A4, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 0000000076ddbe28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 0000000076ddbe30 7 bytes [48, B8, 38, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 0000000076ddbe38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 7 bytes [48, B8, 8C, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000076ddbe68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076ddbf00 7 bytes [48, B8, D4, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000076ddbf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x99e40f0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 7 bytes [48, B8, 50, C0, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076ddc088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9a83dc0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 6 bytes {JMP QWORD [RIP+0x9a03a90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9a63a80]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a23680]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076ddcaf0 7 bytes [48, B8, 20, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076ddcaf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ddcb40 7 bytes [48, B8, 5C, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000076ddcb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076ddcc90 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f89ca} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000076ddcc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 4e81401 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\system32\taskhost.exe[6740] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 49002d .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes [B4, 70] .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70d6000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70d6000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70c1000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70c1000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70c7000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70c7000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes [BD, 70] .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70ee000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70ee000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e2000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e2000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70df000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70df000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70c4000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70c4000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes [AE, 70] .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70f7000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70f7000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70eb000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70eb000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f1000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f1000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70bb000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70bb000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes [B1, 70] .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70d0000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70d0000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes [B7, 70] .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70d9000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70d9000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7181000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 7178000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 7184000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 717e000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 717b000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 716f000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 7166000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 716c000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 7169000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7151000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 7145000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7100000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 713f000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 7139000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 7157000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 7106000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 7106000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 714b000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 711e000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 7115000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 7115000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 70fd000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7112000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7112000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 714e000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 7148000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 7154000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 7142000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7103000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 715a000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 712d000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7133000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 713c000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 715d000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 710f000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 710f000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 712a000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 7127000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 711b000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7121000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7121000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 7124000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 7124000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 7109000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 70fa000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 7160000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 7163000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 7136000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7130000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 710c000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 710c000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 7118000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 7118000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075459cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TC UP.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70a1000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70a1000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70c7000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70c7000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70c4000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70c4000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70f4000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70f4000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e8000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e8000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70e5000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70e5000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 709b000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 709b000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70fd000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70fd000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f1000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f1000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f7000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f7000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70ee000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70ee000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70a7000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70a7000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 709e000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 709e000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70d6000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70d6000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70a4000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70a4000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70df000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70df000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7157000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 714b000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7106000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SendMessageW 00000000765f9689 6 bytes JMP 7145000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 713f000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 715d000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 710c000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 710c000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7151000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!GetKeyState 000000007660292f 6 bytes JMP 7124000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SetParent 0000000076602d74 3 bytes JMP 711b000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 711b000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7103000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7118000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7118000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!PostMessageA 0000000076603bba 6 bytes JMP 7154000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 714e000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 715a000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SendMessageA 000000007660613e 6 bytes JMP 7148000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7109000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7160000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7133000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7139000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7142000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7163000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 7115000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 7115000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7130000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 712d000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7121000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7127000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7127000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SendInput 000000007661ff6a 3 bytes JMP 712a000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 712a000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 710f000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7100000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!mouse_event 0000000076650343 6 bytes JMP 7166000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!keybd_event 0000000076650387 6 bytes JMP 7169000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 713c000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7136000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7112000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7112000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 711e000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 711e000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 7175000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 716c000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7172000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 716f000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\shell32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 7178000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\shell32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 717b000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075459cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC UP\TOTALCMD.EXE[4512] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 709a000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 709a000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70d6000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70d6000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70a6000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70a6000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70c7000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70c7000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70a3000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70a3000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70ee000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70ee000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70e2000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70e2000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70df000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70df000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70c4000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70c4000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 7094000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 7094000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 70f7000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 70f7000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70eb000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70eb000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70f1000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70f1000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70a0000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70a0000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 7097000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 7097000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70d0000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70d0000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 709d000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 709d000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70dc000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70dc000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70d9000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70d9000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7181000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 7178000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 7184000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 717e000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 717b000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 716f000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 7166000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 716c000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 7169000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 7151000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 7145000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 7100000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 713f000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 7139000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 7157000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 7106000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 7106000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 714b000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 711e000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 7115000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 7115000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 70fd000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 7112000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 7112000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 714e000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 7148000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 7154000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 7142000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 7103000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 715a000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 712d000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 7133000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 713c000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 715d000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 710f000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 710f000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 712a000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 7127000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 711b000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 7121000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 7121000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 7124000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 7124000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 7109000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 70fa000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 7160000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 7163000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 7136000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 7130000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 710c000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 710c000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 7118000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 7118000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 00000000755c9698 6 bytes JMP 7172000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 00000000757cbae9 6 bytes JMP 7175000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075459cbb 6 bytes JMP 7199000a .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\uTorrent\uTorrent.exe[6620] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076ddbc00 7 bytes [48, B8, 28, C3, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000076ddbc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a44340]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076ddbd70 7 bytes [48, B8, 80, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 0000000076ddbd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ddbd90 7 bytes [48, B8, FC, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076ddbd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076ddbda0 7 bytes [48, B8, FC, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000076ddbda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ddbdb0 7 bytes [48, B8, 08, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076ddbdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076ddbdd0 7 bytes [48, B8, 4C, C3, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076ddbdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076ddbe20 7 bytes [48, B8, A4, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 0000000076ddbe28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 0000000076ddbe30 7 bytes [48, B8, 38, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 0000000076ddbe38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 7 bytes [48, B8, 8C, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000076ddbe68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076ddbf00 7 bytes [48, B8, D4, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000076ddbf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x99e40f0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 7 bytes [48, B8, 50, C0, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076ddc088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9a83dc0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 6 bytes {JMP QWORD [RIP+0x9a03a90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9a63a80]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a23680]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076ddcaf0 7 bytes [48, B8, 20, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076ddcaf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ddcb40 7 bytes [48, B8, 5C, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000076ddcb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076ddcc90 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f89ca} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000076ddcc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 3a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70be000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 7100000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 7100000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 7103000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 7103000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70df000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70df000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 715d000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 7151000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 714b000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 7163000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 7121000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 7121000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 711e000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 711e000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 715a000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 7154000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 7160000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 710f000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7166000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7139000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 711b000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7136000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 7133000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7127000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 712d000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 7115000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7106000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 716c000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 716f000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 7142000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 713c000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7118000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7118000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 7124000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 7124000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 717b000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 7172000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7178000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 7175000a .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[6876] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[7132] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x966dec0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 0000000076ddbbf0 6 bytes {JMP QWORD [RIP+0x9344440]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9624410]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0xa244340]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000076ddbd50 6 bytes {JMP QWORD [RIP+0x93242e0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 0000000076ddbd60 6 bytes {JMP QWORD [RIP+0x95842d0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0xa134240]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x95641d0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x9504190]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 0000000076ddbec0 6 bytes {JMP QWORD [RIP+0x95a4170]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ddbf30 6 bytes {JMP QWORD [RIP+0x93c4100]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0xa1e40f0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x93a4080]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x94e4060]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0xa0b4020]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0xa0d3fd0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x9543fb0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x92e3dc0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x92c3db0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x9303cb0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x94a3be0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x93e3ba0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9363b30]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000076ddc510 6 bytes {JMP QWORD [RIP+0x9523b20]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9463b00]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9423aa0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 6 bytes {JMP QWORD [RIP+0xa203a90]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0xa263a80]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 0000000076ddc610 6 bytes {JMP QWORD [RIP+0x94c3a20]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0xa163710]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0xa223680]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ddca10 6 bytes {JMP QWORD [RIP+0x95e3620]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ddca20 6 bytes {JMP QWORD [RIP+0x95c3610]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ddca50 6 bytes {JMP QWORD [RIP+0x94035e0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ddcac0 6 bytes {JMP QWORD [RIP+0x9383570]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ddcb10 6 bytes {JMP QWORD [RIP+0x9443520]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 0000000076ddd020 6 bytes {JMP QWORD [RIP+0x9483010]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0xa182e10]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076ddd240 6 bytes {JMP QWORD [RIP+0x9602df0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0xa0f2d90]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0xa112d10]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 0000000076b762c0 6 bytes {JMP QWORD [RIP+0x94a9d70]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x9cfe7d0]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000076b839f0 6 bytes {JMP QWORD [RIP+0x94fc640]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x9c52440]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 0000000076bf1920 6 bytes {JMP QWORD [RIP+0x944e710]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x9c20960]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x9c60930]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9c00760]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x9c3a910]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0C] .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefcc49ac1 5 bytes {JMP QWORD [RIP+0xa6570]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefd48687c 6 bytes {JMP QWORD [RIP+0xf97b4]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefd488e30 6 bytes {JMP QWORD [RIP+0x3a7200]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefd48995c 6 bytes {JMP QWORD [RIP+0x3866d4]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefd4899e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefd489ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefd48a51c 6 bytes {JMP QWORD [RIP+0xd5b14]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefd48a530 6 bytes {JMP QWORD [RIP+0xb5b00]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefd48a5b0 5 bytes JMP 1000c .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefd48a5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefd48bb28 6 bytes {JMP QWORD [RIP+0x344508]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefd48bb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[2892] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefd48bb40 2 bytes [36, 00] .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefece2930 6 bytes {JMP QWORD [RIP+0x10d700]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x4edd40]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x50db50]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x52a43c]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0x4a7c8c]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0x48764c]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0x4c6cfc]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x564628]} .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes JMP c2464cc0 .text C:\Windows\system32\svchost.exe[2892] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x966dec0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 0000000076ddbbf0 6 bytes {JMP QWORD [RIP+0x9344440]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9624410]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0xa244340]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000076ddbd50 6 bytes {JMP QWORD [RIP+0x93242e0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 0000000076ddbd60 6 bytes {JMP QWORD [RIP+0x95842d0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0xa134240]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x95641d0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x9504190]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 0000000076ddbec0 6 bytes {JMP QWORD [RIP+0x95a4170]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ddbf30 6 bytes {JMP QWORD [RIP+0x93c4100]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0xa1e40f0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x93a4080]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x94e4060]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0xa0b4020]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0xa0d3fd0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x9543fb0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x92e3dc0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x92c3db0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x9303cb0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x94a3be0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x93e3ba0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9363b30]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000076ddc510 6 bytes {JMP QWORD [RIP+0x9523b20]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9463b00]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9423aa0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 6 bytes {JMP QWORD [RIP+0xa203a90]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0xa263a80]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 0000000076ddc610 6 bytes {JMP QWORD [RIP+0x94c3a20]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0xa163710]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0xa223680]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ddca10 6 bytes {JMP QWORD [RIP+0x95e3620]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ddca20 6 bytes {JMP QWORD [RIP+0x95c3610]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ddca50 6 bytes {JMP QWORD [RIP+0x94035e0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ddcac0 6 bytes {JMP QWORD [RIP+0x9383570]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ddcb10 6 bytes {JMP QWORD [RIP+0x9443520]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 0000000076ddd020 6 bytes {JMP QWORD [RIP+0x9483010]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0xa182e10]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076ddd240 6 bytes {JMP QWORD [RIP+0x9602df0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0xa0f2d90]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0xa112d10]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 0000000076b762c0 6 bytes {JMP QWORD [RIP+0x94a9d70]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x9cfe7d0]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000076b839f0 6 bytes {JMP QWORD [RIP+0x94fc640]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x9c52440]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 0000000076bf1920 6 bytes {JMP QWORD [RIP+0x944e710]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x9c20960]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x9c60930]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9c00760]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x9c3a910]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0C] .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefcc49ac1 5 bytes {JMP QWORD [RIP+0xa6570]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefd48687c 6 bytes {JMP QWORD [RIP+0xf97b4]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefd488e30 6 bytes {JMP QWORD [RIP+0x3a7200]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefd48995c 6 bytes JMP 320031 .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefd4899e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefd489ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefd48a51c 6 bytes {JMP QWORD [RIP+0xd5b14]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefd48a530 6 bytes {JMP QWORD [RIP+0xb5b00]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefd48a5b0 5 bytes JMP 1000c .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefd48a5c4 6 bytes {JMP QWORD [RIP+0x95a6c]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefd48bb28 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefd48bb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[5520] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefd48bb40 2 bytes [36, 00] .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x4edd40]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x50db50]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x52a43c]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0x4a7c8c]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0x48764c]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0x4c6cfc]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x564628]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x543750]} .text C:\Windows\system32\svchost.exe[5520] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\system32\AUDIODG.EXE[6836] C:\Windows\System32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076ddbc00 7 bytes [48, B8, 28, C3, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000076ddbc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a44340]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076ddbd70 7 bytes [48, B8, 80, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 0000000076ddbd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ddbd90 7 bytes [48, B8, FC, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076ddbd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076ddbda0 7 bytes [48, B8, FC, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000076ddbda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ddbdb0 7 bytes [48, B8, 08, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076ddbdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076ddbdd0 7 bytes [48, B8, 4C, C3, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076ddbdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076ddbe20 7 bytes [48, B8, A4, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 0000000076ddbe28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 0000000076ddbe30 7 bytes [48, B8, 38, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 0000000076ddbe38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 7 bytes [48, B8, 8C, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000076ddbe68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076ddbf00 7 bytes [48, B8, D4, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000076ddbf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x99e40f0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 7 bytes [48, B8, 50, C0, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076ddc088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9a83dc0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 6 bytes {JMP QWORD [RIP+0x9a03a90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9a63a80]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a23680]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076ddcaf0 7 bytes [48, B8, 20, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076ddcaf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ddcb40 7 bytes [48, B8, 5C, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000076ddcb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076ddcc90 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f89ca} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000076ddcc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes JMP 0 .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70c1000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70c1000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70cd000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70cd000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70d3000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70d3000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70ca000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70ca000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70d0000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70d0000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70bb000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70bb000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c7000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c7000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70be000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70be000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70c4000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70c4000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 7112000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 7112000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 712a000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7109000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 711b000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 711b000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7136000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 7133000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7127000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 712d000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 712d000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 7130000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 7130000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 7115000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7106000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\timeout.exe[792] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076ddbc00 7 bytes [48, B8, 28, C3, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000076ddbc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a44340]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076ddbd70 7 bytes [48, B8, 80, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 0000000076ddbd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ddbd90 7 bytes [48, B8, FC, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076ddbd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076ddbda0 7 bytes [48, B8, FC, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000076ddbda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ddbdb0 7 bytes [48, B8, 08, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076ddbdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076ddbdd0 7 bytes [48, B8, 4C, C3, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076ddbdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076ddbe20 7 bytes [48, B8, A4, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 0000000076ddbe28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 0000000076ddbe30 7 bytes [48, B8, 38, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 0000000076ddbe38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 7 bytes [48, B8, 8C, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000076ddbe68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076ddbf00 7 bytes [48, B8, D4, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000076ddbf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x99e40f0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 7 bytes [48, B8, 50, C0, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076ddc088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9a83dc0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 6 bytes {JMP QWORD [RIP+0x9a03a90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9a63a80]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a23680]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076ddcaf0 7 bytes [48, B8, 20, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076ddcaf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ddcb40 7 bytes [48, B8, 5C, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000076ddcb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076ddcc90 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f89ca} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000076ddcc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes {JMP QWORD [RIP+0x13db50]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes JMP 274628 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076ddbc00 7 bytes [48, B8, 28, C3, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000076ddbc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a44340]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076ddbd70 7 bytes [48, B8, 80, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 0000000076ddbd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ddbd90 7 bytes [48, B8, FC, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076ddbd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076ddbda0 7 bytes [48, B8, FC, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000076ddbda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ddbdb0 7 bytes [48, B8, 08, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076ddbdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076ddbdd0 7 bytes [48, B8, 4C, C3, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076ddbdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076ddbe20 7 bytes [48, B8, A4, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 0000000076ddbe28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 0000000076ddbe30 7 bytes [48, B8, 38, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 0000000076ddbe38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 7 bytes [48, B8, 8C, C1, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000076ddbe68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076ddbf00 7 bytes [48, B8, D4, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000076ddbf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x99e40f0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 7 bytes [48, B8, 50, C0, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000076ddc088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9a83dc0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 6 bytes {JMP QWORD [RIP+0x9a03a90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9a63a80]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a23680]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076ddcaf0 7 bytes [48, B8, 20, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000076ddcaf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ddcb40 7 bytes [48, B8, 5C, C2, 89, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000076ddcb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076ddcc90 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f89ca} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000076ddcc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db2170 6 bytes {JMP QWORD [RIP+0x928dec0]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076ddbc20 6 bytes {JMP QWORD [RIP+0x9244410]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076ddbcf0 6 bytes {JMP QWORD [RIP+0x9a84340]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ddbdf0 6 bytes {JMP QWORD [RIP+0x9924240]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076ddbe60 6 bytes {JMP QWORD [RIP+0x9a041d0]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ddbea0 6 bytes {JMP QWORD [RIP+0x99c4190]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000076ddbf40 6 bytes {JMP QWORD [RIP+0x9a240f0]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddbfb0 6 bytes {JMP QWORD [RIP+0x9824080]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ddbfd0 6 bytes {JMP QWORD [RIP+0x99a4060]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ddc010 6 bytes {JMP QWORD [RIP+0x98a4020]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ddc060 6 bytes {JMP QWORD [RIP+0x98c3fd0]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076ddc080 6 bytes {JMP QWORD [RIP+0x99e3fb0]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000076ddc270 6 bytes {JMP QWORD [RIP+0x9ac3dc0]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000076ddc280 6 bytes {JMP QWORD [RIP+0x97e3db0]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ddc380 6 bytes {JMP QWORD [RIP+0x97c3cb0]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000076ddc450 6 bytes {JMP QWORD [RIP+0x9943be0]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ddc490 6 bytes {JMP QWORD [RIP+0x9843ba0]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ddc500 6 bytes {JMP QWORD [RIP+0x9803b30]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000076ddc530 6 bytes {JMP QWORD [RIP+0x9883b00]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ddc590 6 bytes {JMP QWORD [RIP+0x9863aa0]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000076ddc5a0 4 bytes [FF, 25, 90, 3A] .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 5 0000000076ddc5a5 1 byte [09] .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ddc5b0 6 bytes {JMP QWORD [RIP+0x9aa3a80]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ddc920 6 bytes {JMP QWORD [RIP+0x9963710]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076ddc9b0 6 bytes {JMP QWORD [RIP+0x9a63680]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ddd220 6 bytes {JMP QWORD [RIP+0x9982e10]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ddd2a0 6 bytes {JMP QWORD [RIP+0x98e2d90]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ddd320 6 bytes {JMP QWORD [RIP+0x9902d10]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076b81860 6 bytes {JMP QWORD [RIP+0x957e7d0]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8dbf0 6 bytes {JMP QWORD [RIP+0x94d2440]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076bff6d0 6 bytes {JMP QWORD [RIP+0x94a0960]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076bff700 6 bytes {JMP QWORD [RIP+0x94e0930]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076bff8d0 6 bytes {JMP QWORD [RIP+0x9480760]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c05720 6 bytes {JMP QWORD [RIP+0x94ba910]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcc43a50 5 bytes [FF, 25, E0, C5, 0A] .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd4122f0 6 bytes {JMP QWORD [RIP+0x11dd40]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd4124e0 6 bytes JMP 6c0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd415bf4 6 bytes {JMP QWORD [RIP+0x15a43c]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd4183a4 6 bytes {JMP QWORD [RIP+0xd7c8c]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd4189e4 6 bytes {JMP QWORD [RIP+0xb764c]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd419334 6 bytes {JMP QWORD [RIP+0xf6cfc]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd41ba08 6 bytes {JMP QWORD [RIP+0x274628]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd41c8e0 6 bytes {JMP QWORD [RIP+0x173750]} .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd186d10 6 bytes {JMP QWORD [RIP+0x319320]} .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f8f9f0 3 bytes JMP 71af000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000076f8f9f4 2 bytes JMP 71af000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000076f8fb38 3 bytes JMP 70c1000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000076f8fb3c 2 bytes JMP 70c1000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fcc0 3 bytes JMP 70e2000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000076f8fcc4 2 bytes JMP 70e2000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000076f8fd74 3 bytes JMP 70cd000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000076f8fd78 2 bytes JMP 70cd000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000076f8fdd8 3 bytes JMP 70d3000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000076f8fddc 2 bytes JMP 70d3000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000076f8fed0 3 bytes JMP 70ca000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000076f8fed4 2 bytes JMP 70ca000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ff84 3 bytes JMP 70fa000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000076f8ff88 2 bytes JMP 70fa000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000076f8ffb4 3 bytes JMP 70d6000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000076f8ffb8 2 bytes JMP 70d6000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000076f90014 3 bytes JMP 70ee000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000076f90018 2 bytes JMP 70ee000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000076f90094 3 bytes JMP 70eb000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000076f90098 2 bytes JMP 70eb000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000076f900c4 3 bytes JMP 70d0000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000076f900c8 2 bytes JMP 70d0000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000076f903c8 3 bytes JMP 70bb000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000076f903cc 2 bytes JMP 70bb000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000076f903e0 3 bytes JMP 7100000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000076f903e4 2 bytes JMP 7100000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f90560 3 bytes JMP 7103000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000076f90564 2 bytes JMP 7103000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000076f906a4 3 bytes JMP 70df000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000076f906a8 2 bytes JMP 70df000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000076f90704 3 bytes JMP 70f7000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000076f90708 2 bytes JMP 70f7000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907ac 3 bytes JMP 70fd000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000076f907b0 2 bytes JMP 70fd000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000076f907f4 3 bytes JMP 70f1000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000076f907f8 2 bytes JMP 70f1000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f90884 3 bytes JMP 70f4000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000076f90888 2 bytes JMP 70f4000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000076f9089c 3 bytes JMP 70c7000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000076f908a0 2 bytes JMP 70c7000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000076f908b4 3 bytes JMP 70be000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000076f908b8 2 bytes JMP 70be000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000076f90e04 3 bytes JMP 70dc000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000076f90e08 2 bytes JMP 70dc000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000076f90ee8 3 bytes JMP 70c4000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000076f90eec 2 bytes JMP 70c4000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000076f91bf4 3 bytes JMP 70d9000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000076f91bf8 2 bytes JMP 70d9000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000076f91cc4 3 bytes JMP 70e8000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000076f91cc8 2 bytes JMP 70e8000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000076f91d9c 3 bytes JMP 70e5000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000076f91da0 2 bytes JMP 70e5000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fac0f0 6 bytes JMP 71a8000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752e3be3 3 bytes JMP 719c000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000752e3be7 2 bytes JMP 719c000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752e9ae4 6 bytes JMP 7187000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752f3baa 6 bytes JMP 717e000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752fcd11 6 bytes JMP 718a000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007534dda6 6 bytes JMP 7184000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007534de49 6 bytes JMP 7181000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000762ff8a7 6 bytes JMP 719f000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076302e0b 4 bytes CALL 71ac0000 .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000765f8342 6 bytes JMP 715d000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 00000000765f8c0f 6 bytes JMP 7151000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000765f90e3 6 bytes JMP 710c000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000765f9689 6 bytes JMP 714b000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000765f97e2 6 bytes JMP 7145000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765fee19 6 bytes JMP 7163000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!RegisterHotKey 00000000765fefd9 3 bytes JMP 7112000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 00000000765fefdd 2 bytes JMP 7112000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000766012b5 6 bytes JMP 7157000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007660292f 6 bytes JMP 712a000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SetParent 0000000076602d74 3 bytes JMP 7121000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076602d78 2 bytes JMP 7121000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076602db4 6 bytes JMP 7109000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!MoveWindow 00000000766036a8 3 bytes JMP 711e000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 00000000766036ac 2 bytes JMP 711e000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076603bba 6 bytes JMP 715a000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076603c71 6 bytes JMP 7154000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076606120 6 bytes JMP 7160000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007660613e 6 bytes JMP 714e000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076606c40 6 bytes JMP 710f000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076607613 6 bytes JMP 7166000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076607678 6 bytes JMP 7139000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000766076f0 6 bytes JMP 713f000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007660782f 6 bytes JMP 7148000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007660836c 6 bytes JMP 7169000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007660c4c6 3 bytes JMP 711b000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007660c4ca 2 bytes JMP 711b000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007661c122 6 bytes JMP 7136000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007661d109 6 bytes JMP 7133000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007661ebb6 6 bytes JMP 7127000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007661ec88 3 bytes JMP 712d000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007661ec8c 2 bytes JMP 712d000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SendInput 000000007661ff6a 3 bytes JMP 7130000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007661ff6e 2 bytes JMP 7130000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076639fdb 6 bytes JMP 7115000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 000000007664156b 6 bytes JMP 7106000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076650343 6 bytes JMP 716c000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076650387 6 bytes JMP 716f000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076656dc4 6 bytes JMP 7142000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076656e25 6 bytes JMP 713c000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076657e9f 3 bytes JMP 7118000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076657ea3 2 bytes JMP 7118000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000766589b3 3 bytes JMP 7124000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000766589b7 2 bytes JMP 7124000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000752458b3 6 bytes JMP 718d000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075245ea5 6 bytes JMP 717b000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075247ba4 6 bytes JMP 7196000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007524b986 6 bytes JMP 7190000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007524ba5f 6 bytes JMP 7172000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007524cc01 6 bytes JMP 7178000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007524ea03 6 bytes JMP 7193000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075274ab1 6 bytes JMP 7175000a .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b01401 2 bytes JMP 752fb263 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b01419 2 bytes JMP 752fb38e C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b01431 2 bytes JMP 753790f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b0144a 2 bytes CALL 752d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b014dd 2 bytes JMP 753789ea C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b014f5 2 bytes JMP 75378bc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b0150d 2 bytes JMP 753788e0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b01525 2 bytes JMP 75378caa C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b0153d 2 bytes JMP 752efce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b01555 2 bytes JMP 752f6937 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b0156d 2 bytes JMP 753791a9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b01585 2 bytes JMP 75378d0a C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b0159d 2 bytes JMP 753788a4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b015b5 2 bytes JMP 752efd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b015cd 2 bytes JMP 752fb324 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b016b2 2 bytes JMP 7537906c C:\Windows\syswow64\kernel32.dll .text C:\Users\Ja\Downloads\26xt1v06.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b016bd 2 bytes JMP 75378839 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010c9e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010c9c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010ca614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010caa10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010ca86c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7fee7fda14c] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee7fd9884] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee7fda134] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7fee7fda570] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2640] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee7fda12c] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7fee7fda14c] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee7fd9884] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee7fda134] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7fee7fda570] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5264] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee7fda12c] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7fee7fda14c] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee7fd9884] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee7fda134] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7fee7fda570] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2604] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee7fda12c] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1740] @ C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.79\PepperFlash\pepflashplayer.dll[KERNEL32.dll!CreateNamedPipeW] [b6b7002c] ---- Devices - GMER 2.2 ---- Device \Driver\b57xdmp \Device\Scsi\b57xdmp1 fffffa800497d2c0 Device \Driver\bScsiSDa \Device\Scsi\bScsiSDa1 fffffa80077042c0 Device \Driver\bScsiMSa \Device\Scsi\bScsiMSa1 fffffa80077062c0 Device \FileSystem\Ntfs \Ntfs fffffa80044062c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80076c02c0 Device \Driver\cdrom \Device\CdRom0 fffffa8006d902c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{C414F2A9-C828-4CCF-A163-BDC83CF9B40F} fffffa8006eed2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80076c02c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa80077502c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{A9F4D667-043A-4E9A-ACAB-6D51354B0CBB} fffffa8006eed2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80076c02c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8006eed2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80076c02c0 Device \Driver\bScsiSDa \Device\ScsiPort1 fffffa80077042c0 Device \Driver\bScsiMSa \Device\ScsiPort2 fffffa80077062c0 Device \Driver\b57xdmp \Device\ScsiPort3 fffffa800497d2c0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 62364 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x8F 0x45 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0xA5 0x55 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB8 0x41 0x5E 0xCC ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x20 0x75 0x34 0x07 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x8F 0x45 0x57 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0xA5 0x55 0xBE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB8 0x41 0x5E 0xCC ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x20 0x75 0x34 0x07 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Ja\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKJKRNXY\AdwCleaner\x00a05.116.exe 1 ---- EOF - GMER 2.2 ----