GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-02 15:19:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST964032 rev.0001 596,17GB Running: 1ymu2tdm.exe; Driver: C:\Users\Monika\AppData\Local\Temp\uxldapow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033f0000 8 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff800033f0010 49 bytes [00, 04, 00, 00, 80, 01, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077711360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077711560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\services.exe[776] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\services.exe[776] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\services.exe[776] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefddd4750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000775c6ef0 6 bytes {JMP QWORD [RIP+0x8e19140]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000775c8184 6 bytes {JMP QWORD [RIP+0x8ef7eac]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetParent 00000000775c8530 6 bytes {JMP QWORD [RIP+0x8e37b00]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000775c9bcc 6 bytes {JMP QWORD [RIP+0x8b96464]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!PostMessageA 00000000775ca404 6 bytes {JMP QWORD [RIP+0x8bd5c2c]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!EnableWindow 00000000775caaa0 6 bytes {JMP QWORD [RIP+0x8f35590]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!MoveWindow 00000000775caad0 6 bytes {JMP QWORD [RIP+0x8e55560]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000775cc720 6 bytes {JMP QWORD [RIP+0x8df3910]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000775ccd50 6 bytes {JMP QWORD [RIP+0x8ed32e0]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000775cd2b0 6 bytes {JMP QWORD [RIP+0x8c12d80]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageA 00000000775cd338 6 bytes {JMP QWORD [RIP+0x8c52cf8]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000775cdc40 6 bytes {JMP QWORD [RIP+0x8d323f0]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000775cf510 6 bytes {JMP QWORD [RIP+0x8f10b20]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000775cf874 6 bytes {JMP QWORD [RIP+0x8b507bc]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000775cfac0 6 bytes {JMP QWORD [RIP+0x8cb0570]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000775d0b74 6 bytes {JMP QWORD [RIP+0x8c2f4bc]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000775d33b0 6 bytes {JMP QWORD [RIP+0x8bacc80]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000775d4d4d 5 bytes {JMP QWORD [RIP+0x8b6b2e4]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!GetKeyState 00000000775d5010 6 bytes {JMP QWORD [RIP+0x8dcb020]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000775d5438 6 bytes {JMP QWORD [RIP+0x8ceabf8]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageW 00000000775d6b50 6 bytes {JMP QWORD [RIP+0x8c694e0]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!PostMessageW 00000000775d76e4 6 bytes {JMP QWORD [RIP+0x8be894c]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000775ddd90 6 bytes {JMP QWORD [RIP+0x8d622a0]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!GetClipboardData 00000000775de874 6 bytes {JMP QWORD [RIP+0x8ea17bc]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000775df780 6 bytes {JMP QWORD [RIP+0x8e608b0]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000775e28e4 6 bytes {JMP QWORD [RIP+0x8cfd74c]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!mouse_event 00000000775e3894 6 bytes {JMP QWORD [RIP+0x8afc79c]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000775e8a10 6 bytes {JMP QWORD [RIP+0x8d97620]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000775e8be0 6 bytes {JMP QWORD [RIP+0x8c77450]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000775e8c20 6 bytes {JMP QWORD [RIP+0x8b17410]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendInput 00000000775e8cd0 6 bytes {JMP QWORD [RIP+0x8d77360]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!BlockInput 00000000775ead60 6 bytes {JMP QWORD [RIP+0x8e752d0]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000776114e0 6 bytes {JMP QWORD [RIP+0x8f0eb50]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!keybd_event 00000000776345a4 6 bytes {JMP QWORD [RIP+0x8a8ba8c]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007763cc08 6 bytes {JMP QWORD [RIP+0x8ce3428]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007763df18 6 bytes {JMP QWORD [RIP+0x8c62118]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes JMP 1fdd60 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes JMP 101 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes JMP 0 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes JMP 0 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes JMP 2bc5 .text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 1407 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes JMP 30242073 .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff86a6f0 6 bytes {JMP QWORD [RIP+0x195940]} .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff890c10 6 bytes {JMP QWORD [RIP+0x18f420]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\system32\lsm.exe[796] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsm.exe[796] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[796] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[796] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\lsm.exe[796] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefddd4750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes JMP 100061fe .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 740073 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [05, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DE, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [F0, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [23, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[976] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefddd4750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes JMP 1add0d0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes JMP 274640 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff86a6f0 6 bytes {JMP QWORD [RIP+0x195940]} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff890c10 6 bytes JMP ee4ab2e .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes JMP d0050001 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff86a6f0 6 bytes {JMP QWORD [RIP+0x195940]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff890c10 6 bytes {JMP QWORD [RIP+0x18f420]} .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes JMP 0 .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\atiesrxx.exe[856] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes JMP 82da630 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes JMP 890ec68 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes JMP 4 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes JMP 8eb6471 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes JMP 1002e .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes JMP 8eb73e1 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes JMP d5e6 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes JMP 8f8e7a2 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes JMP 7c281 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes JMP 43005c .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes JMP 12ea680 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes JMP 681 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes JMP 7d0e81 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes JMP 33681 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes JMP 3a001 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes JMP 8ec2a09 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes JMP 1 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes JMP 9024e41 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes JMP 23a468 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff86a6f0 6 bytes {JMP QWORD [RIP+0x195940]} .text C:\Windows\System32\svchost.exe[1076] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff890c10 6 bytes {JMP QWORD [RIP+0x18f420]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefddd4750 6 bytes JMP 7c2 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes JMP d9b26 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 2794b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff86a6f0 6 bytes {JMP QWORD [RIP+0x195940]} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff890c10 6 bytes {JMP QWORD [RIP+0x18f420]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes JMP 2d413835 .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\atieclxx.exe[1332] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefddd4750 6 bytes {JMP QWORD [RIP+0x10b8e0]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff86a6f0 6 bytes {JMP QWORD [RIP+0x195940]} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff890c10 6 bytes {JMP QWORD [RIP+0x18f420]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes JMP 0 .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes JMP 0 .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff86a6f0 6 bytes {JMP QWORD [RIP+0x195940]} .text C:\Windows\system32\FBAgent.exe[1688] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff890c10 6 bytes {JMP QWORD [RIP+0x18f420]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E4, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [E1, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [05, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes [02, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [E7, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D5, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [08, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DE, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D8, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [DB, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [F0, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [23, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1732] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes [AE, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E4, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [E1, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [05, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes [02, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [E7, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D5, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [08, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DE, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D8, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [DB, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [F0, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [23, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1772] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1100] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes JMP 520045 .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\Explorer.EXE[1312] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 415 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E4, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [E1, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [05, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [E7, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D5, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DE, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D8, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [DB, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [F0, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [23, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1640] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes JMP 7193000a .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes JMP ffffffff .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\System32\spoolsv.exe[1256] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff86a6f0 6 bytes {JMP QWORD [RIP+0x195940]} .text C:\Windows\system32\taskhost.exe[1208] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff890c10 6 bytes {JMP QWORD [RIP+0x18f420]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes [AE, 71] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F2, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [DD, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [E3, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [DA, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [E6, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [FE, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 70fc000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [E0, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [CE, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [01, 71] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [EF, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [D7, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D1, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [EC, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [D4, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes JMP 00000000cc19e55d .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes JMP 70f9000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes JMP 70f9000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [F5, 70] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x710a001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [10, 71] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x7107001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [23, 71] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x710d001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x7113001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x7104001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes JMP 7117000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes JMP 7117000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2104] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes JMP 7193000a .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\taskeng.exe[2208] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes [AE, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [D9, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [DF, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [D6, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [E2, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [05, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [DC, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [08, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [D3, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [CD, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [D0, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [F0, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2240] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E4, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [E1, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [05, 71] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [E7, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D5, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [08, 71] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DE, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [DB, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [F0, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [23, 71] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2452] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes [AE, 71] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F6, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E1, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [E7, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [DE, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [EA, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes JMP 7103000a .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes JMP 7103000a .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7100000a .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7100000a .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [E4, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D2, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [05, 71] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F3, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DB, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D5, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F0, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [D8, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes JMP 70ee000a .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes JMP 70ee000a .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FC, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [F9, 70] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes JMP 7187000a .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [14, 71] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [23, 71] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [20, 71] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes JMP 7112000a .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [1D, 71] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [2F, 71] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [32, 71] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x7108001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes JMP 7175000a .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes JMP 7142000a .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1A, 71] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [26, 71] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ac1465 2 bytes [AC, 76] .text C:\Windows\AsScrPro.exe[2644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ac14bb 2 bytes [AC, 76] .text ... * 2 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes JMP 70df000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 00000000754a103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes JMP 7163000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes JMP 7151000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes JMP 7124000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes JMP 7166000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes JMP 710c000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2752] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes JMP 7193000a .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff86a6f0 6 bytes {JMP QWORD [RIP+0x195940]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff890c10 6 bytes {JMP QWORD [RIP+0x18f420]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes JMP 80 .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes JMP 0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Program Files\Bonjour\mDNSResponder.exe[2844] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [D5, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [C0, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [C6, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [BD, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [C9, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [E1, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 70df000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 70df000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [C3, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [B1, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [D2, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [BA, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [B4, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [CF, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [B7, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [CC, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [DB, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [D8, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes JMP 715d000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes JMP 7151000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes JMP 70ee000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes JMP 714b000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [F3, 70] .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes JMP 7157000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes JMP 710d000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes JMP 7104000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes JMP 7104000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x70ea001e]} .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes JMP 7100000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes JMP 7100000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes JMP 715a000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes JMP 7154000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes JMP 7160000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes JMP 714e000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x70f0001e]} .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes JMP 7166000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes JMP 711c000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x713a001e]} .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes JMP 7148000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes JMP 7119000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes JMP 7116000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes JMP 710a000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes JMP 7110000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes JMP 7110000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes JMP 7113000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes JMP 7113000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x70f6001e]} .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes JMP 70e8000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes JMP 716f000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes JMP 711f000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes JMP 7107000a .text C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[2880] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes JMP 7107000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [DF, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [CA, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [D0, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [C7, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [D3, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes {JMP 0x72} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [CD, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [BB, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [EE, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [DC, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [C4, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes JMP 70bf000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes JMP 70bf000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [D9, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [C1, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [D6, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [E5, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [E2, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x713c001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x70f7001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7136001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x7130001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [FD, 70] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x7115001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [0C, 71] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x70f4001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [09, 71] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes JMP 7140000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7139001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x70fa001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x7124001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x712a001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x7133001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [06, 71] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x7121001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x711e001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x7112001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [18, 71] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [1B, 71] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x7100001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x70f1001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x712d001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7127001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [03, 71] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [0F, 71] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2948] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [DF, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [DC, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [05, 71] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D0, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes JMP 70da000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes JMP 70da000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D3, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [D6, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [F0, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [23, 71] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1172] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes JMP 0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes JMP 0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2020] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 4d68636d .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes JMP 0 .text C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe[2576] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 0 .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes JMP 350031 .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes JMP 0 .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[524] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes [AE, 71] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E4, 70] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [EA, 70] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [E1, 70] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [ED, 70] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes JMP 7106000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes JMP 7106000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes [02, 71] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [E7, 70] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes JMP 70d6000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes JMP 70d6000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [08, 71] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DE, 70] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D8, 70] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [DB, 70] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [F0, 70] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes JMP 7100000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes JMP 7100000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Windows\SysWOW64\NLSSRV32.EXE[2472] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\System32\svchost.exe[544] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes [AE, 71] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E4, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [E1, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [05, 71] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D5, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [08, 71] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DE, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D8, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [DB, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [F0, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [23, 71] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2136] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff86a6f0 6 bytes {JMP QWORD [RIP+0x195940]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff890c10 6 bytes {JMP QWORD [RIP+0x18f420]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2008] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 15aad .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3272] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3272] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3272] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3272] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3272] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3272] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3272] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3272] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3272] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3272] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 0 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F5, 70] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E0, 70] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [E6, 70] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [DD, 70] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes JMP 00000000cc19c91d .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [01, 71] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 70ff000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 70ff000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes JMP 70e4000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes JMP 70e4000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D1, 70] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [04, 71] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F2, 70] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DA, 70] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D4, 70] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [EF, 70] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [D7, 70] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [EC, 70] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FB, 70] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes JMP 70f9000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes JMP 70f9000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x710d001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [13, 71] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712b001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [22, 71] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x710a001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [1F, 71] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7110001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713a001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes JMP 711d000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes JMP 711d000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x7137001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x7128001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [2E, 71] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [31, 71] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x7116001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x7107001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [19, 71] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [25, 71] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3336] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Windows\system32\svchost.exe[3680] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[3680] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[3680] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3680] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[3680] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\svchost.exe[3680] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\svchost.exe[3680] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\svchost.exe[3680] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3680] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[3680] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\system32\wbem\wmiprvse.exe[4032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\system32\wbem\wmiprvse.exe[4032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[4032] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\wbem\wmiprvse.exe[4032] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\wbem\wmiprvse.exe[4032] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\wbem\wmiprvse.exe[4032] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\wbem\wmiprvse.exe[4032] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\wbem\wmiprvse.exe[4032] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\wbem\wmiprvse.exe[4032] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes JMP 0 .text C:\Windows\system32\wbem\wmiprvse.exe[4032] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes [AE, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E4, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [E1, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [05, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [E7, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D5, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [08, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DE, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D8, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [DB, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [23, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[4080] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes [AE, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E4, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [E1, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [05, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [E7, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D5, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [08, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DE, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D8, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [DB, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [F0, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [23, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4220] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes JMP 7193000a .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrl.exe[4452] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\KERNEL32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\KERNEL32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 79000026 .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe[4460] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Windows\WindowsMobile\wmdc.exe[4504] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\WindowsMobile\wmdc.exe[4504] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0D] .text C:\Windows\WindowsMobile\wmdc.exe[4504] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes JMP 0 .text C:\Windows\WindowsMobile\wmdc.exe[4504] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x4cdb78]} .text C:\Windows\WindowsMobile\wmdc.exe[4504] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x4ea450]} .text C:\Windows\WindowsMobile\wmdc.exe[4504] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes JMP 0 .text C:\Windows\WindowsMobile\wmdc.exe[4504] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x44766c]} .text C:\Windows\WindowsMobile\wmdc.exe[4504] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x486cf4]} .text C:\Windows\WindowsMobile\wmdc.exe[4504] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x524648]} .text C:\Windows\WindowsMobile\wmdc.exe[4504] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP fe3879b0 .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E4, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [EA, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [E1, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [ED, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [05, 71] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [E7, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D5, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [08, 71] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DE, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D8, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [DB, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [F0, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes JMP 7130000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes JMP 710f000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [23, 71] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes JMP 7172000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1D, 71] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[4692] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes JMP 360035 .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [C0, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes JMP 70ac000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes JMP 70ac000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [B1, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [A8, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [B4, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [CC, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 70ca000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 70ca000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [AE, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [9C, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [CF, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [BD, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [A5, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [9F, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [BA, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [A2, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [C6, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [C3, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes JMP 70d9000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [DE, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes JMP 713d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x70d5001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes JMP 7140000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes JMP 713a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x70db001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x70e1001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x70d2001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[4184] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes JMP 7193000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes JMP 70fa000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes JMP 70fa000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes JMP 70e5000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes JMP 70e5000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes JMP 70eb000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes JMP 70eb000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [E1, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes JMP 70ee000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes JMP 70ee000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes JMP 7106000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes JMP 7106000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes JMP 70e8000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes JMP 70e8000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D5, 70] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes JMP 7109000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes JMP 7109000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes JMP 70f7000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes JMP 70f7000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes JMP 70df000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes JMP 70df000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes JMP 70d9000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes JMP 70d9000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes JMP 70f4000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes JMP 70f4000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes JMP 70dc000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes JMP 70dc000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes JMP 70f1000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes JMP 70f1000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes JMP 7100000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes JMP 7100000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes JMP 70fd000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes JMP 70fd000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes JMP 719c000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes JMP 7190000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes JMP 719f000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes JMP 7163000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes JMP 7157000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes JMP 7112000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes JMP 714b000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes JMP 7169000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes JMP 7118000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes JMP 7118000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes JMP 715d000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes JMP 7130000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes JMP 7127000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes JMP 7127000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes JMP 710f000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes JMP 7124000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes JMP 7124000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes JMP 7160000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes JMP 715a000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes JMP 7166000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes JMP 7154000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes JMP 7115000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes JMP 716c000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes JMP 713f000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes JMP 7145000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes JMP 716f000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes JMP 7121000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes JMP 7121000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes JMP 713c000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes JMP 7139000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes JMP 712d000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes JMP 7133000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes JMP 7133000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes JMP 7136000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes JMP 7136000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes JMP 711b000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes JMP 710c000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes JMP 7172000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes JMP 7175000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes JMP 7142000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes JMP 711e000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes JMP 711e000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes JMP 712a000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes JMP 712a000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes JMP 7184000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes JMP 7181000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes JMP 7178000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes JMP 717e000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes JMP 7187000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes JMP 718a000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes JMP 717b000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes JMP 7193000a .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ac1465 2 bytes [AC, 76] .text C:\Users\Monika\AppData\Local\Akamai\netsession_win.exe[3920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ac14bb 2 bytes [AC, 76] .text ... * 2 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E4, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [E1, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [05, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [E7, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D5, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [08, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DE, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D8, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [DB, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [F0, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes [AE, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E4, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [E1, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [E7, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [08, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DE, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D8, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [DB, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [29, 71] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4660] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [DC, 70] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes JMP 70c8000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes JMP 70c8000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [C4, 70] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [E8, 70] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 70e6000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 70e6000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes JMP 70b9000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes JMP 70b9000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes JMP 70ec000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes JMP 70ec000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [D9, 70] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [C1, 70] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes JMP 70bc000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes JMP 70bc000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [D6, 70] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [BE, 70] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [D3, 70] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [E2, 70] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [DF, 70] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes JMP 7163000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x713a001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x70f4001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes JMP 7135000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x712e001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [FA, 70] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x7112001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [09, 71] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x70f1001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [06, 71] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x713d001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes JMP 7166000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7137001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x70f7001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes JMP 7123000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7128001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [03, 71] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x711f001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x711c001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x710f001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes JMP 7116000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes JMP 7116000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [19, 71] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes JMP 70fe000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x70ee001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x712b001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7125001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!BlockInput + 5 00000000769b7ddc 1 byte [71] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [0C, 71] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ac1465 2 bytes [AC, 76] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ac14bb 2 bytes [AC, 76] .text ... * 2 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4992] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [F9, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [E4, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [EA, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [E1, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [ED, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [05, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [D5, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [08, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [F6, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [DE, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [D8, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [F3, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [DB, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [F0, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [FF, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [FC, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [17, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [26, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x710e001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes [23, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [20, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [32, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [35, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [1D, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5128] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes JMP 712a000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [EF, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes JMP 70d6000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes JMP 70d6000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [DB, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [D2, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes JMP 70df000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes JMP 70df000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes [FB, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 70f9000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 70f9000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes JMP 70d9000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes JMP 70d9000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes JMP 70c7000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes JMP 70c7000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes JMP 70ff000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes JMP 70ff000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [EC, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [CF, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes JMP 70ca000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes JMP 70ca000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes JMP 00000000cc19d76d .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [CC, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [E6, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [F5, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [F2, 70] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes JMP 715d000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes JMP 7151000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes JMP 7108000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes JMP 714b000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes JMP 7145000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [0D, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes JMP 7157000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x7125001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [1C, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x7104001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes JMP 711a000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes JMP 711a000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes JMP 715a000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x710a001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x713a001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [16, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x712e001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes JMP 7123000a .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [28, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [2B, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes {JMP QWORD [RIP+0x7110001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x7101001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7137001e]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [13, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5168] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [1F, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5176] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077711430 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes CALL 9000027 .text C:\Windows\system32\SearchIndexer.exe[5240] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes [AE, 71] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes [DF, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes [CA, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes [D0, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes [C7, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes [D3, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes {JMP 0x72} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 70e9000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes [CD, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes [BB, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes [EE, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes [DC, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes [C4, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes [BE, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes [D9, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes [C1, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes [D6, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes [E5, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes [E2, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes {JMP QWORD [RIP+0x713c001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes {JMP QWORD [RIP+0x70f7001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes {JMP QWORD [RIP+0x7136001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes JMP 7131000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes [FD, 70] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes {JMP QWORD [RIP+0x7115001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes [0C, 71] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes {JMP QWORD [RIP+0x70f4001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes JMP 710a000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes JMP 710a000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes {JMP QWORD [RIP+0x713f001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes {JMP QWORD [RIP+0x7139001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes {JMP QWORD [RIP+0x70fa001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes {JMP QWORD [RIP+0x7124001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes {JMP QWORD [RIP+0x712a001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes {JMP QWORD [RIP+0x7133001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes [06, 71] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes {JMP QWORD [RIP+0x7121001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes {JMP QWORD [RIP+0x711e001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes {JMP QWORD [RIP+0x7112001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes [18, 71] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes [1B, 71] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes JMP 7101000a .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes {JMP QWORD [RIP+0x70f1001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes {JMP QWORD [RIP+0x712d001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes {JMP QWORD [RIP+0x7127001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes [03, 71] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes [0F, 71] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ac1465 2 bytes [AC, 76] .text C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe[5436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ac14bb 2 bytes [AC, 76] .text ... * 2 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes {JMP QWORD [RIP+0x1fdd60]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5844] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes {JMP QWORD [RIP+0x253780]} .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes JMP 70da000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes JMP 70da000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes JMP 70e0000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes JMP 70e0000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes JMP 70d7000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes JMP 70d7000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes JMP 70e3000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes JMP 70e3000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes JMP 70dd000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes JMP 70dd000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes JMP 70cb000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes JMP 70cb000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes JMP 70d4000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes JMP 70d4000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes JMP 70ce000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes JMP 70ce000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes JMP 70d1000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes JMP 70d1000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes JMP 7163000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes JMP 7151000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes JMP 7124000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes JMP 7166000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes JMP 713f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes JMP 710c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ac1465 2 bytes [AC, 76] .text C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe[5896] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ac14bb 2 bytes [AC, 76] .text ... * 2 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes JMP 70d5000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes JMP 70d5000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes JMP 70c0000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes JMP 70c0000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes JMP 70c6000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes JMP 70c6000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes JMP 70bd000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes JMP 70bd000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes JMP 70c9000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes JMP 70c9000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes JMP 70e1000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes JMP 70e1000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 70de000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 70de000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes JMP 70c3000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes JMP 70c3000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes JMP 70b1000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes JMP 70b1000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes JMP 70e4000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes JMP 70e4000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes JMP 70d2000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes JMP 70d2000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes JMP 70ba000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes JMP 70ba000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes JMP 70b4000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes JMP 70b4000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes JMP 70cf000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes JMP 70cf000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes JMP 70b7000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes JMP 70b7000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes JMP 70cc000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes JMP 70cc000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes JMP 70db000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes JMP 70db000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes JMP 70d8000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes JMP 70d8000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes JMP 7163000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes JMP 713d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes JMP 70f8000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes JMP 7137000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes JMP 7131000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes JMP 70fe000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes JMP 70fe000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes JMP 7116000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes JMP 710d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes JMP 710d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes JMP 70f5000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes JMP 710a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes JMP 710a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes JMP 7140000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes JMP 7166000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes JMP 713a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes JMP 70fb000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes JMP 7125000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes JMP 712b000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes JMP 7134000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes JMP 7107000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes JMP 7107000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes JMP 7122000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes JMP 711f000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes JMP 7113000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes JMP 7119000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes JMP 7119000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes JMP 711c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes JMP 711c000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes JMP 7101000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes JMP 70f2000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes JMP 712e000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes JMP 7128000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes JMP 7104000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes JMP 7104000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes JMP 7110000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes JMP 7110000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ac1465 2 bytes [AC, 76] .text C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe[5968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ac14bb 2 bytes [AC, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ac1465 2 bytes [AC, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ac14bb 2 bytes [AC, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff218384 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!GetPixel 000007feff21933c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes {JMP QWORD [RIP+0x274648]} .text C:\Windows\system32\svchost.exe[5416] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000776e3b10 6 bytes {JMP QWORD [RIP+0x895c520]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000777113a0 6 bytes {JMP QWORD [RIP+0x890ec90]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077711570 6 bytes {JMP QWORD [RIP+0x8eceac0]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000777115e0 6 bytes {JMP QWORD [RIP+0x8faea50]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077711620 6 bytes {JMP QWORD [RIP+0x8f6ea10]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000777116c0 6 bytes {JMP QWORD [RIP+0x8fce970]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077711750 6 bytes {JMP QWORD [RIP+0x8f4e8e0]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077711790 6 bytes {JMP QWORD [RIP+0x8e4e8a0]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777117e0 6 bytes {JMP QWORD [RIP+0x8e6e850]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077711800 6 bytes {JMP QWORD [RIP+0x8f8e830]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000777119f0 6 bytes {JMP QWORD [RIP+0x904e640]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077711b00 6 bytes {JMP QWORD [RIP+0x8e2e530]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077711bd0 6 bytes {JMP QWORD [RIP+0x8eee460]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077711d20 6 bytes {JMP QWORD [RIP+0x8fee310]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077711d30 6 bytes {JMP QWORD [RIP+0x902e300]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777120a0 6 bytes {JMP QWORD [RIP+0x8f0df90]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077712130 6 bytes {JMP QWORD [RIP+0x900df00]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777129a0 6 bytes {JMP QWORD [RIP+0x8f2d690]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077712a20 6 bytes {JMP QWORD [RIP+0x8e8d610]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077712aa0 6 bytes {JMP QWORD [RIP+0x8ead590]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 00000000774aa420 6 bytes {JMP QWORD [RIP+0x8bf5c10]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\kernel32.dll!CreateProcessW 00000000774c1b50 6 bytes {JMP QWORD [RIP+0x8b9e4e0]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000774feecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\kernel32.dll!CreateProcessA 0000000077538810 6 bytes {JMP QWORD [RIP+0x8b47820]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd529055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd5353c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\GDI32.dll!DeleteDC 000007feff2122d0 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\GDI32.dll!BitBlt 000007feff2124b8 6 bytes {JMP QWORD [RIP+0x21db78]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\GDI32.dll!MaskBlt 000007feff215be0 6 bytes {JMP QWORD [RIP+0x23a450]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\GDI32.dll!CreateDCW 000007feff218384 6 bytes {JMP QWORD [RIP+0x1b7cac]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\GDI32.dll!CreateDCA 000007feff2189c4 6 bytes {JMP QWORD [RIP+0x19766c]} .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\GDI32.dll!GetPixel 000007feff21933c 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\GDI32.dll!StretchBlt 000007feff21b9e8 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[6644] C:\Windows\System32\GDI32.dll!PlgBlt 000007feff21c8b0 6 bytes JMP 0 .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778bf9e0 3 bytes JMP 71af000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000778bf9e4 2 bytes JMP 71af000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000778bfcb0 3 bytes JMP 70fa000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000778bfcb4 2 bytes JMP 70fa000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778bfd64 3 bytes JMP 70e5000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000778bfd68 2 bytes JMP 70e5000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000778bfdc8 3 bytes JMP 70eb000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000778bfdcc 2 bytes JMP 70eb000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000778bfec0 3 bytes JMP 70e2000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000778bfec4 2 bytes JMP 70e2000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000778bffa4 3 bytes JMP 70ee000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000778bffa8 2 bytes JMP 70ee000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000778c0004 3 bytes JMP 7106000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000778c0008 2 bytes JMP 7106000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000778c0084 3 bytes JMP 7103000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000778c0088 2 bytes JMP 7103000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778c00b4 3 bytes JMP 70e8000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000778c00b8 2 bytes JMP 70e8000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000778c03b8 3 bytes JMP 70d6000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000778c03bc 2 bytes JMP 70d6000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c0550 3 bytes JMP 7109000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000778c0554 2 bytes JMP 7109000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000778c0694 3 bytes JMP 70f7000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000778c0698 2 bytes JMP 70f7000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c088c 3 bytes JMP 70df000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000778c0890 2 bytes JMP 70df000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000778c08a4 3 bytes JMP 70d9000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000778c08a8 2 bytes JMP 70d9000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000778c0df4 3 bytes JMP 70f4000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000778c0df8 2 bytes JMP 70f4000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000778c0ed8 3 bytes JMP 70dc000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000778c0edc 2 bytes JMP 70dc000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000778c1be4 3 bytes JMP 70f1000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000778c1be8 2 bytes JMP 70f1000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000778c1cb4 3 bytes JMP 7100000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000778c1cb8 2 bytes JMP 7100000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000778c1d8c 3 bytes JMP 70fd000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000778c1d90 2 bytes JMP 70fd000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000778e1287 6 bytes JMP 71a8000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000754a103d 6 bytes JMP 719c000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000754a1072 6 bytes JMP 7199000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754ca2ba 1 byte [62] .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000754cc965 6 bytes JMP 7190000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007677f776 6 bytes JMP 719f000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076782c91 4 bytes CALL 71ac0000 .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076958332 6 bytes JMP 7163000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076958bff 6 bytes JMP 7157000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000769590d3 6 bytes JMP 7112000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076959679 6 bytes JMP 7151000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000769597d2 6 bytes JMP 714b000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007695ee09 6 bytes JMP 7169000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007695efc9 3 bytes JMP 7118000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007695efcd 2 bytes JMP 7118000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000769612a5 6 bytes JMP 715d000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007696291f 6 bytes JMP 7130000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SetParent 0000000076962d64 3 bytes JMP 7127000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076962d68 2 bytes JMP 7127000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076962da4 6 bytes JMP 710f000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076963698 3 bytes JMP 7124000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007696369c 2 bytes JMP 7124000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076963baa 6 bytes JMP 7160000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076963c61 6 bytes JMP 715a000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076966110 6 bytes JMP 7166000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007696612e 6 bytes JMP 7154000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076966c30 6 bytes JMP 7115000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076967603 6 bytes JMP 716c000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076967668 6 bytes JMP 713f000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000769676e0 6 bytes JMP 7145000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007696781f 6 bytes JMP 714e000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007696835c 6 bytes JMP 716f000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007696c4b6 3 bytes JMP 7121000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007696c4ba 2 bytes JMP 7121000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007697c112 6 bytes JMP 713c000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007697d0f5 6 bytes JMP 7139000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007697eb96 6 bytes JMP 712d000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007697ec68 3 bytes JMP 7133000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007697ec6c 2 bytes JMP 7133000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SendInput 000000007697ff4a 3 bytes JMP 7136000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007697ff4e 2 bytes JMP 7136000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076999f1d 6 bytes JMP 711b000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000769a1497 6 bytes JMP 710c000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!mouse_event 00000000769b027b 6 bytes JMP 7172000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!keybd_event 00000000769b02bf 6 bytes JMP 7175000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000769b6cfc 6 bytes JMP 7148000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000769b6d5d 6 bytes JMP 7142000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!BlockInput 00000000769b7dd7 3 bytes JMP 711e000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000769b7ddb 2 bytes JMP 711e000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000769b88eb 3 bytes JMP 712a000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000769b88ef 2 bytes JMP 712a000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000754158b3 6 bytes JMP 7184000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075415ea6 6 bytes JMP 7181000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075417bcc 6 bytes JMP 718d000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007541b895 6 bytes JMP 7178000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007541c332 6 bytes JMP 717e000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007541cbfb 6 bytes JMP 7187000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007541e743 6 bytes JMP 718a000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007544480f 6 bytes JMP 717b000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075752642 6 bytes JMP 7196000a .text D:\download\1ymu2tdm.exe[2464] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000075755429 6 bytes JMP 7193000a ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b5e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b5c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b6614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010b6a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b686c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortCopyMemory] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortGetPhysicalAddress] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortReadRegisterUlong] [fce8840fed844566] [unknown section] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortInitializeEx] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortDeviceStateChange] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortEtwTraceLog] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortRegistryFreeBuffer] [fffffcca820fd03b] [unknown section] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortGetBusData] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortRegistryRead] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortRequestCallback] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortStallExecution] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortGetUnCachedExtension] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortReadRegisterUchar] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortBuildRequestSenseIrb] [fffffc92830fca3b] [unknown section] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortReleaseRequestSenseIrb] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortCompleteRequest] [fc80840f00107983] [unknown section] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortNotification] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortGetDeviceBase] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortGetScatterGatherList] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortRegistryAllocateBuffer] [?] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[PCIIDEX.SYS!AtaPortWriteRegisterUlong] [fffc59830fc83b08] [unknown section] IAT C:\Windows\System32\Drivers\aa4y1svt.SYS[NTOSKRNL.exe!KeBugCheckEx] [?] ---- Devices - GMER 2.1 ---- Device \Driver\aa4y1svt \Device\Scsi\aa4y1svt1 fffffa8005d132c0 Device \Driver\JMCR \Device\Scsi\JMCR1 fffffa8005cdd2c0 Device \Driver\JMCR \Device\Scsi\JMCR2 fffffa8005cdd2c0 Device \Driver\JMCR \Device\Scsi\JMCR3 fffffa8005cdd2c0 Device \Driver\JMCR \Device\Scsi\JMCR4 fffffa8005cdd2c0 Device \Driver\aa4y1svt \Device\Scsi\aa4y1svt1Port5Path0Target0Lun0 fffffa8005d132c0 Device \FileSystem\Ntfs \Ntfs fffffa80044992c0 Device \FileSystem\fastfat \Fat fffffa800aa4d2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{4F05A13B-B8AB-4565-89AA-8A6653500A63} fffffa8004f9e2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800513b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{EE38F61D-860C-4363-B004-600F49401815} fffffa8004f9e2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004e212c0 Device \Driver\cdrom \Device\CdRom1 fffffa8004e212c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800513b2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800513b2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004f9e2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800513b2c0 Device \Driver\JMCR \Device\ScsiPort1 fffffa8005cdd2c0 Device \Driver\JMCR \Device\ScsiPort2 fffffa8005cdd2c0 Device \Driver\JMCR \Device\ScsiPort3 fffffa8005cdd2c0 Device \Driver\JMCR \Device\ScsiPort4 fffffa8005cdd2c0 Device \Driver\aa4y1svt \Device\ScsiPort5 fffffa8005d132c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\aa4y1svt.SYS (MS AHCI 1.0 Standard Driver/Microsoft Corporation SIGNED)(2012-01-28 10:16:42) fffff8800470b000-fffff88004756000 (307200 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3E 0xE1 0x08 0xB2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA5 0x80 0x12 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x76 0xD6 0xD2 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x06 0xD7 0xE7 0xA5 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3E 0xE1 0x08 0xB2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA5 0x80 0x12 0x0B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x76 0xD6 0xD2 0x55 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x06 0xD7 0xE7 0xA5 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro\Data@UpdateBin.{A6D52E4F-569B-4756-B3D8-DF217313DA85} 0xBA 0x23 0x13 0x53 ... ---- Files - GMER 2.1 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes ---- EOF - GMER 2.1 ----