GMER 2.1.19324 - http://www.gmer.net Rootkit scan 2014-01-19 18:26:24 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: u9x0060s.exe; Driver: C:\Users\MISIOE~1\AppData\Local\Temp\agaiypog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002fb0000 8 bytes [00, 00, 16, 02, 4E, 53, 49, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff80002fb0010 29 bytes [DC, 14, 01, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077601360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077601560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077601360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077601560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\services.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Windows\system32\services.exe[640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\services.exe[640] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff7d4750 6 bytes {JMP QWORD [RIP+0x11b8e0]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000774b6ef0 6 bytes {JMP QWORD [RIP+0x8f29140]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000774b8184 6 bytes {JMP QWORD [RIP+0x9007eac]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SetParent 00000000774b8530 6 bytes {JMP QWORD [RIP+0x8f47b00]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000774b9bcc 6 bytes {JMP QWORD [RIP+0x8ca6464]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!PostMessageA 00000000774ba404 6 bytes {JMP QWORD [RIP+0x8ce5c2c]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!EnableWindow 00000000774baaa0 6 bytes {JMP QWORD [RIP+0x9045590]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!MoveWindow 00000000774baad0 6 bytes {JMP QWORD [RIP+0x8f65560]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000774bc720 6 bytes {JMP QWORD [RIP+0x8f03910]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000774bcd50 6 bytes {JMP QWORD [RIP+0x8fe32e0]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000774bd2b0 6 bytes {JMP QWORD [RIP+0x8d22d80]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SendMessageA 00000000774bd338 6 bytes {JMP QWORD [RIP+0x8d62cf8]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000774bdc40 6 bytes {JMP QWORD [RIP+0x8e423f0]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000774bf510 6 bytes {JMP QWORD [RIP+0x9020b20]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000774bf874 6 bytes {JMP QWORD [RIP+0x8c607bc]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000774bfac0 6 bytes {JMP QWORD [RIP+0x8dc0570]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000774c0b74 6 bytes {JMP QWORD [RIP+0x8d3f4bc]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000774c33b0 6 bytes {JMP QWORD [RIP+0x8cbcc80]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000774c4d4d 5 bytes {JMP QWORD [RIP+0x8c7b2e4]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!GetKeyState 00000000774c5010 6 bytes {JMP QWORD [RIP+0x8edb020]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000774c5438 6 bytes {JMP QWORD [RIP+0x8dfabf8]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SendMessageW 00000000774c6b50 6 bytes {JMP QWORD [RIP+0x8d794e0]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!PostMessageW 00000000774c76e4 6 bytes {JMP QWORD [RIP+0x8cf894c]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000774cdd90 6 bytes {JMP QWORD [RIP+0x8e722a0]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!GetClipboardData 00000000774ce874 6 bytes {JMP QWORD [RIP+0x8fb17bc]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000774cf780 6 bytes {JMP QWORD [RIP+0x8f708b0]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774d28e4 6 bytes {JMP QWORD [RIP+0x8e0d74c]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!mouse_event 00000000774d3894 6 bytes {JMP QWORD [RIP+0x8c0c79c]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000774d8a10 6 bytes {JMP QWORD [RIP+0x8ea7620]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000774d8be0 6 bytes {JMP QWORD [RIP+0x8d87450]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000774d8c20 6 bytes {JMP QWORD [RIP+0x8c27410]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SendInput 00000000774d8cd0 6 bytes {JMP QWORD [RIP+0x8e87360]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!BlockInput 00000000774dad60 6 bytes {JMP QWORD [RIP+0x8f852d0]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000775014e0 6 bytes {JMP QWORD [RIP+0x901eb50]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!keybd_event 00000000775245a4 6 bytes {JMP QWORD [RIP+0x8b9ba8c]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007752cc08 6 bytes {JMP QWORD [RIP+0x8df3428]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007752df18 6 bytes {JMP QWORD [RIP+0x8d72118]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\services.exe[640] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc2a6f0 6 bytes {JMP QWORD [RIP+0x185940]} .text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc50c10 6 bytes {JMP QWORD [RIP+0x17f420]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes JMP 6a87 .text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff7d4750 6 bytes {JMP QWORD [RIP+0x11b8e0]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes JMP 10002 .text C:\Windows\system32\nvvsvc.exe[872] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff7d4750 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes JMP e11300 .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc2a6f0 6 bytes {JMP QWORD [RIP+0x185940]} .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc50c10 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes JMP 701b .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes JMP 750059 .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes JMP 8a6c590 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes JMP 105922e .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes JMP a3a5451 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes JMP 90c0 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes JMP b2c0 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes JMP 2f0c0 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes JMP 7333c0 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes JMP 8ed2191 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes JMP 8f7e6c0 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes JMP 35899fd0 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes JMP 11c00 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes JMP 8f3f7c0 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes JMP 8ffe408 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes JMP 600 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes JMP 11c00 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes JMP d340099 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes JMP 911e802 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes JMP 870e218 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes JMP 8ed3fd1 .text C:\Windows\System32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes JMP 8d05b48 .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes JMP 8c9dcc0 .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes JMP 1055906 .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc2a6f0 6 bytes {JMP QWORD [RIP+0x185940]} .text C:\Windows\System32\svchost.exe[416] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc50c10 6 bytes {JMP QWORD [RIP+0x17f420]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes JMP 2f0002 .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[504] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff7d4750 6 bytes {JMP QWORD [RIP+0x11b8e0]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc2a6f0 6 bytes {JMP QWORD [RIP+0x185940]} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc50c10 6 bytes {JMP QWORD [RIP+0x17f420]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1268] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes JMP 10002 .text C:\Windows\system32\nvvsvc.exe[1288] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes JMP 10002 .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc2a6f0 6 bytes JMP 3244 .text C:\Windows\system32\FBAgent.exe[1484] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc50c10 6 bytes JMP 55002d .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1512] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1576] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\spoolsv.exe[1684] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff7d4750 6 bytes {JMP QWORD [RIP+0x11b8e0]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc2a6f0 6 bytes {JMP QWORD [RIP+0x185940]} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc50c10 6 bytes {JMP QWORD [RIP+0x17f420]} .text C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe[1884] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe[1884] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe[1884] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2020] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Windows\system32\conhost.exe[2036] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\conhost.exe[2036] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes JMP 0 .text C:\Windows\system32\conhost.exe[2036] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes JMP 200020 .text C:\Windows\system32\conhost.exe[2036] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[2036] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\conhost.exe[2036] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[2036] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[2036] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[2036] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\conhost.exe[2036] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 1A] .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes JMP 10002 .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc2a6f0 6 bytes JMP 3244 .text C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe[1112] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc50c10 6 bytes JMP 55002d .text C:\Windows\system32\conhost.exe[1152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\conhost.exe[1152] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1152] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\conhost.exe[1152] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\conhost.exe[1152] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\conhost.exe[1152] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1152] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1152] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\conhost.exe[1152] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\conhost.exe[1152] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc2a6f0 6 bytes {JMP QWORD [RIP+0x185940]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc50c10 6 bytes {JMP QWORD [RIP+0x17f420]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1228] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2068] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072e01a22 2 bytes [E0, 72] .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072e01ad0 2 bytes [E0, 72] .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072e01b08 2 bytes [E0, 72] .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072e01bba 2 bytes [E0, 72] .text C:\Windows\SysWOW64\rpcnet.exe[2224] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072e01bda 2 bytes [E0, 72] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70df000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70df000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7100000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7100000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7103000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7103000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7172000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 7178000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 7175000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 715d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 710c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 714b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 7145000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7112000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7112000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 712a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7121000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7121000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 7109000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 711e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 711e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7160000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 710f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 7139000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 713f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 711b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 711b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 7136000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7133000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 7127000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 712d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7130000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7130000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 7115000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 7106000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7142000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 713c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 7118000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 7118000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 7124000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 7124000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075f41465 2 bytes [F4, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2296] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075f414bb 2 bytes [F4, 75] .text ... * 2 .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files\Orange\CMSrv.exe[2664] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 28] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc2a6f0 6 bytes {JMP QWORD [RIP+0x185940]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc50c10 6 bytes {JMP QWORD [RIP+0x17f420]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2708] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71a6000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71a6000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70da000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70da000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 70f5000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 70f5000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 70f2000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 70f2000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70c5000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70c5000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 70f8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 70f8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 70ef000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 70ef000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 719f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 7191000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 718e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7185000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 7194000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71a30000 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7173000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7170000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 7182000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7167000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 716d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 717c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 717f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 716a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7152000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7146000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7101000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7140000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 713a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7158000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7107000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7107000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 714c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 711f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7116000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7116000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 70fe000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7113000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7113000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 714f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 7149000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7155000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7143000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7104000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 715b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 712e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7134000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 713d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 715e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7110000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7110000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 712b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7128000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 711c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7122000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7122000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7125000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7125000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 710a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 70fb000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7161000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7164000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7137000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7131000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 710d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 710d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 7119000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 7119000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 718b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2796] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7188000a .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2824] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2824] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2824] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2824] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2824] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2824] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2824] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2824] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2824] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2824] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077601430 8 bytes JMP 000000016fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 8 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2188] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Windows\system32\svchost.exe[3188] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[3188] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[3188] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\svchost.exe[3188] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\svchost.exe[3188] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\svchost.exe[3188] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\svchost.exe[3188] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\svchost.exe[3188] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\svchost.exe[3188] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\svchost.exe[3188] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70ef000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70ef000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70da000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70da000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70e0000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70e0000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70d7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70d7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70e3000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70e3000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 70fb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 70fb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 70f8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 70f8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70dd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70dd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70cb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70cb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 70fe000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 70fe000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70ec000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70ec000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70d4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70d4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70ce000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70ce000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70e9000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70e9000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70d1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70d1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70e6000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70e6000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 70f5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 70f5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70f2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70f2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7107000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 710d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 710d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 7104000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 710a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 7110000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 7101000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 7113000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 7113000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075f41465 2 bytes [F4, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075f414bb 2 bytes [F4, 75] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 0 .text C:\Windows\system32\SearchIndexer.exe[2832] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 79000026 .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdc2a6f0 6 bytes {JMP QWORD [RIP+0x185940]} .text C:\Windows\system32\taskhost.exe[832] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc50c10 6 bytes {JMP QWORD [RIP+0x17f420]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\taskeng.exe[2244] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\taskeng.exe[2104] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes JMP 2f0002 .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\taskeng.exe[1460] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes CALL 9000027 .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\system32\Dwm.exe[2588] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes JMP ff000000 .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes JMP bf7e7e7e .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes JMP ffa9a9a9 .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes JMP 2f0002 .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes JMP 70000 .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000774b6ef0 6 bytes {JMP QWORD [RIP+0x8f29140]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000774b8184 6 bytes {JMP QWORD [RIP+0x9007eac]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SetParent 00000000774b8530 6 bytes {JMP QWORD [RIP+0x8f47b00]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000774b9bcc 6 bytes {JMP QWORD [RIP+0x8ca6464]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!PostMessageA 00000000774ba404 6 bytes {JMP QWORD [RIP+0x8ce5c2c]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!EnableWindow 00000000774baaa0 6 bytes {JMP QWORD [RIP+0x9045590]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!MoveWindow 00000000774baad0 6 bytes {JMP QWORD [RIP+0x8f65560]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000774bc720 6 bytes {JMP QWORD [RIP+0x8f03910]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000774bcd50 6 bytes {JMP QWORD [RIP+0x8fe32e0]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000774bd2b0 6 bytes {JMP QWORD [RIP+0x8d22d80]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SendMessageA 00000000774bd338 6 bytes {JMP QWORD [RIP+0x8d62cf8]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000774bdc40 6 bytes JMP 8b48fff9 .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000774bf510 6 bytes {JMP QWORD [RIP+0x9020b20]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000774bf874 6 bytes {JMP QWORD [RIP+0x8c607bc]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000774bfac0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000774c0b74 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000774c33b0 6 bytes {JMP QWORD [RIP+0x8cbcc80]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000774c4d4d 5 bytes {JMP QWORD [RIP+0x8c7b2e4]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!GetKeyState 00000000774c5010 6 bytes {JMP QWORD [RIP+0x8edb020]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000774c5438 6 bytes JMP 24748948 .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SendMessageW 00000000774c6b50 6 bytes {JMP QWORD [RIP+0x8d794e0]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!PostMessageW 00000000774c76e4 6 bytes {JMP QWORD [RIP+0x8cf894c]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000774cdd90 6 bytes {JMP QWORD [RIP+0x8e722a0]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!GetClipboardData 00000000774ce874 6 bytes {JMP QWORD [RIP+0x8fb17bc]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000774cf780 6 bytes {JMP QWORD [RIP+0x8f708b0]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000774d28e4 6 bytes JMP 5d415e41 .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!mouse_event 00000000774d3894 6 bytes {JMP QWORD [RIP+0x8c0c79c]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000774d8a10 6 bytes {JMP QWORD [RIP+0x8ea7620]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000774d8be0 6 bytes {JMP QWORD [RIP+0x8d87450]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000774d8c20 6 bytes {JMP QWORD [RIP+0x8c27410]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SendInput 00000000774d8cd0 6 bytes {JMP QWORD [RIP+0x8e87360]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!BlockInput 00000000774dad60 6 bytes {JMP QWORD [RIP+0x8f852d0]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000775014e0 6 bytes {JMP QWORD [RIP+0x901eb50]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!keybd_event 00000000775245a4 6 bytes {JMP QWORD [RIP+0x8b9ba8c]} .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007752cc08 6 bytes JMP 48602474 .text C:\Windows\Explorer.EXE[4136] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007752df18 6 bytes {JMP QWORD [RIP+0x8d72118]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4288] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes JMP 0 .text C:\Windows\SysWOW64\ACEngSvr.exe[4348] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes JMP 0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4396] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4496] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes JMP 0 .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes JMP 0 .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes JMP 0 .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes JMP 0 .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes JMP 0 .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes {JMP QWORD [RIP+0x174648]} .text C:\Windows\System32\rundll32.exe[4828] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes JMP 10002 .text C:\Windows\System32\hkcmd.exe[4940] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes JMP 10002 .text C:\Windows\System32\igfxpers.exe[4952] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes {JMP QWORD [RIP+0x11db78]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes JMP 10002 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4964] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70df000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70df000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70ca000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70ca000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70d0000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70d0000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70c7000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70c7000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70d3000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70d3000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 70eb000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 70eb000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 70e8000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 70e8000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70cd000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70cd000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70bb000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70bb000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 70ee000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 70ee000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70dc000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70dc000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70c4000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70c4000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70be000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70be000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70d9000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70d9000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70c1000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70c1000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70d6000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70d6000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 70e5000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 70e5000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70e2000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70e2000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 70f7000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7148000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 7130000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 70fd000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 70fd000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7115000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 710c000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 710c000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 70f4000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7109000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7109000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 714b000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 70fa000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 7124000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 712a000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 7145000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7106000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7106000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 7121000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 711e000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 7112000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7118000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7118000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 711b000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 711b000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 7100000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 70f1000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 712d000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7127000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 7103000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 7103000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 710f000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 710f000a .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075f41465 2 bytes [F4, 75] .text C:\Windows\AsScrPro.exe[4976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075f414bb 2 bytes [F4, 75] .text ... * 2 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[4504] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775d3b10 6 bytes {JMP QWORD [RIP+0x8a6c520]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000776013a0 6 bytes {JMP QWORD [RIP+0x8a1ec90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077601570 6 bytes {JMP QWORD [RIP+0x8fdeac0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776015e0 6 bytes {JMP QWORD [RIP+0x90bea50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077601620 6 bytes {JMP QWORD [RIP+0x907ea10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000776016c0 6 bytes {JMP QWORD [RIP+0x90de970]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077601750 6 bytes {JMP QWORD [RIP+0x905e8e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077601790 6 bytes {JMP QWORD [RIP+0x8f5e8a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776017e0 6 bytes {JMP QWORD [RIP+0x8f7e850]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077601800 6 bytes {JMP QWORD [RIP+0x909e830]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000776019f0 6 bytes {JMP QWORD [RIP+0x915e640]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077601b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077601bd0 6 bytes {JMP QWORD [RIP+0x8ffe460]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077601d20 6 bytes {JMP QWORD [RIP+0x90fe310]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077601d30 6 bytes {JMP QWORD [RIP+0x913e300]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776020a0 6 bytes {JMP QWORD [RIP+0x901df90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077602130 6 bytes {JMP QWORD [RIP+0x911df00]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776029a0 6 bytes {JMP QWORD [RIP+0x903d690]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077602a20 6 bytes {JMP QWORD [RIP+0x8f9d610]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077602aa0 6 bytes {JMP QWORD [RIP+0x8fbd590]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007739a420 6 bytes {JMP QWORD [RIP+0x8d05c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000773b1b50 6 bytes {JMP QWORD [RIP+0x8cae4e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077428810 6 bytes {JMP QWORD [RIP+0x8c57820]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff3e22d0 6 bytes {JMP QWORD [RIP+0xfdd60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\system32\GDI32.dll!BitBlt 000007feff3e24b8 6 bytes JMP 0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff3e5be0 6 bytes {JMP QWORD [RIP+0x13a450]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff3e8384 6 bytes {JMP QWORD [RIP+0xb7cac]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff3e89c4 6 bytes {JMP QWORD [RIP+0x9766c]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\system32\GDI32.dll!GetPixel 000007feff3e933c 6 bytes {JMP QWORD [RIP+0xd6cf4]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff3eb9e8 6 bytes JMP 16d .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4580] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff3ec8b0 6 bytes {JMP QWORD [RIP+0x153780]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3028] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4224] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5192] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd699055 3 bytes [B5, 6F, 06] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5192] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6a53c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000777af9e0 3 bytes JMP 71af000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000777af9e4 2 bytes JMP 71af000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777afcb0 3 bytes JMP 70fa000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000777afcb4 2 bytes JMP 70fa000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777afd64 3 bytes JMP 70e5000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777afd68 2 bytes JMP 70e5000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000777afdc8 3 bytes JMP 70eb000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000777afdcc 2 bytes JMP 70eb000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000777afec0 3 bytes JMP 70e2000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000777afec4 2 bytes JMP 70e2000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000777affa4 3 bytes JMP 70ee000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000777affa8 2 bytes JMP 70ee000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000777b0004 3 bytes JMP 7106000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000777b0008 2 bytes JMP 7106000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000777b0084 3 bytes JMP 7103000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000777b0088 2 bytes JMP 7103000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777b00b4 3 bytes JMP 70e8000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777b00b8 2 bytes JMP 70e8000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777b03b8 3 bytes JMP 70d6000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777b03bc 2 bytes JMP 70d6000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b0550 3 bytes JMP 7109000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000777b0554 2 bytes JMP 7109000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000777b0694 3 bytes JMP 70f7000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000777b0698 2 bytes JMP 70f7000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000777b088c 3 bytes JMP 70df000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000777b0890 2 bytes JMP 70df000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777b08a4 3 bytes JMP 70d9000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777b08a8 2 bytes JMP 70d9000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000777b0df4 3 bytes JMP 70f4000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000777b0df8 2 bytes JMP 70f4000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000777b0ed8 3 bytes JMP 70dc000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000777b0edc 2 bytes JMP 70dc000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000777b1be4 3 bytes JMP 70f1000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000777b1be8 2 bytes JMP 70f1000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000777b1cb4 3 bytes JMP 7100000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000777b1cb8 2 bytes JMP 7100000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000777b1d8c 3 bytes JMP 70fd000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000777b1d90 2 bytes JMP 70fd000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777d1287 6 bytes JMP 71a8000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007578103d 6 bytes JMP 719c000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075781072 6 bytes JMP 7199000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000757ac965 6 bytes JMP 7190000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007734f776 6 bytes JMP 719f000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000077352c91 4 bytes CALL 71ac0000 .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076328332 6 bytes JMP 7163000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076328bff 6 bytes JMP 7157000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000763290d3 6 bytes JMP 7112000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076329679 6 bytes JMP 7151000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000763297d2 6 bytes JMP 714b000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007632ee09 6 bytes JMP 7169000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007632efc9 3 bytes JMP 7118000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007632efcd 2 bytes JMP 7118000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000763312a5 6 bytes JMP 715d000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007633291f 6 bytes JMP 7130000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SetParent 0000000076332d64 3 bytes JMP 7127000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076332d68 2 bytes JMP 7127000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076332da4 6 bytes JMP 710f000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076333698 3 bytes JMP 7124000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007633369c 2 bytes JMP 7124000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076333baa 6 bytes JMP 7160000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076333c61 6 bytes JMP 715a000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076336110 6 bytes JMP 7166000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007633612e 6 bytes JMP 7154000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076336c30 6 bytes JMP 7115000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076337603 6 bytes JMP 716c000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076337668 6 bytes JMP 713f000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000763376e0 6 bytes JMP 7145000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007633781f 6 bytes JMP 714e000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007633835c 6 bytes JMP 716f000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007633c4b6 3 bytes JMP 7121000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007633c4ba 2 bytes JMP 7121000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007634c112 6 bytes JMP 713c000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007634d0f5 6 bytes JMP 7139000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007634eb96 6 bytes JMP 712d000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007634ec68 3 bytes JMP 7133000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007634ec6c 2 bytes JMP 7133000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SendInput 000000007634ff4a 3 bytes JMP 7136000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007634ff4e 2 bytes JMP 7136000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076369f1d 6 bytes JMP 711b000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076371497 6 bytes JMP 710c000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!mouse_event 000000007638027b 6 bytes JMP 7172000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!keybd_event 00000000763802bf 6 bytes JMP 7175000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076386cfc 6 bytes JMP 7148000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076386d5d 6 bytes JMP 7142000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076387dd7 3 bytes JMP 711e000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076387ddb 2 bytes JMP 711e000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000763888eb 3 bytes JMP 712a000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000763888ef 2 bytes JMP 712a000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758958b3 6 bytes JMP 7184000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075895ea6 6 bytes JMP 7181000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075897bcc 6 bytes JMP 718d000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007589b895 6 bytes JMP 7178000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007589c332 6 bytes JMP 717e000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007589cbfb 6 bytes JMP 7187000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007589e743 6 bytes JMP 718a000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000758c480f 6 bytes JMP 717b000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000761b2642 6 bytes JMP 7196000a .text C:\Users\Misiołek\Downloads\u9x0060s.exe[3340] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000761b5429 6 bytes JMP 7193000a ---- Files - GMER 2.1 ---- File C:\System Volume Information\MountPointManagerRemoteDatabase 0 bytes File C:\System Volume Information\SPP 0 bytes File C:\System Volume Information\SPP\OnlineMetadataCache 0 bytes File C:\System Volume Information\SPP\OnlineMetadataCache\{1918ec26-78d2-472b-a2b4-cb9773221cf5}_OnDiskSnapshotProp 11296 bytes File C:\System Volume Information\SPP\OnlineMetadataCache\{6658658d-3300-4081-8203-40036336ec2c}_OnDiskSnapshotProp 11296 bytes File C:\System Volume Information\SPP\OnlineMetadataCache\{8fa2155a-ccaf-45ea-87d4-240b85593bbc}_OnDiskSnapshotProp 11400 bytes File C:\System Volume Information\SPP\SppCbsHiveStore 0 bytes File C:\System Volume Information\SPP\SppGroupCache 0 bytes File C:\System Volume Information\SPP\SppGroupCache\{1918EC26-78D2-472B-A2B4-CB9773221CF5}_DriverPackageInfo 58696 bytes File C:\System Volume Information\SPP\SppGroupCache\{1918EC26-78D2-472B-A2B4-CB9773221CF5}_WindowsUpdateInfo 23560 bytes File C:\System Volume Information\SPP\SppGroupCache\{6658658D-3300-4081-8203-40036336EC2C}_DriverPackageInfo 58696 bytes File C:\System Volume Information\SPP\SppGroupCache\{6658658D-3300-4081-8203-40036336EC2C}_WindowsUpdateInfo 23560 bytes File C:\System Volume Information\Syscache.hve 15204352 bytes File C:\System Volume Information\Syscache.hve.LOG1 262144 bytes File C:\System Volume Information\Syscache.hve.LOG2 0 bytes File C:\System Volume Information\SystemRestore 0 bytes File C:\System Volume Information\SystemRestore\FRStaging 0 bytes File C:\System Volume Information\SystemRestore\FRStaging\Windows 0 bytes File C:\System Volume Information\SystemRestore\FRStaging\Windows\System32 0 bytes File C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\DriverStore 0 bytes File C:\System Volume Information\SystemRestore\FRStaging\Windows\winsxs 0 bytes File C:\System Volume Information\SystemRestore\FRStaging\Windows\winsxs\amd64_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_4019f2b8d860ad30 0 bytes File C:\System Volume Information\tracking.log 20480 bytes File C:\System Volume Information\Windows Backup 0 bytes File C:\System Volume Information\Windows Backup\Catalogs 0 bytes File C:\System Volume Information\Windows Backup\Catalogs\GlobalCatalog.wbcat 136 bytes File C:\System Volume Information\Windows Backup\Catalogs\GlobalCatalogLock.dat 0 bytes File C:\System Volume Information\WindowsImageBackup 0 bytes File C:\System Volume Information\WindowsImageBackup\SPPMetadataCache 0 bytes File C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} 65536 bytes File C:\System Volume Information\{9fa86117-7dcb-11e3-a084-bcaec561c7b0}{3808876b-c176-4e48-b7ae-04046e6cc752} 1912602624 bytes File C:\System Volume Information\{d4b019d6-7909-11e3-94f6-bcaec561c7b0}{3808876b-c176-4e48-b7ae-04046e6cc752} 1543835648 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl 72 bytes ---- EOF - GMER 2.1 ----