GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-12 16:32:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE3O 465,76GB Running: syv15t6k.exe; Driver: C:\Users\Piotrek\AppData\Local\Temp\kfldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076e96ef0 6 bytes {JMP QWORD [RIP+0x9509140]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076e98184 6 bytes {JMP QWORD [RIP+0x95e7eac]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SetParent 0000000076e98530 6 bytes {JMP QWORD [RIP+0x9527b00]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!PostMessageA 0000000076e9a404 6 bytes {JMP QWORD [RIP+0x92c5c2c]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!EnableWindow 0000000076e9aaa0 6 bytes {JMP QWORD [RIP+0x9625590]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!MoveWindow 0000000076e9aad0 6 bytes {JMP QWORD [RIP+0x9545560]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076e9c720 6 bytes {JMP QWORD [RIP+0x94e3910]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076e9cd50 6 bytes {JMP QWORD [RIP+0x95c32e0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076e9d2b0 6 bytes {JMP QWORD [RIP+0x9302d80]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SendMessageA 0000000076e9d338 6 bytes {JMP QWORD [RIP+0x9342cf8]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076e9dc40 6 bytes {JMP QWORD [RIP+0x94223f0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076e9f510 6 bytes {JMP QWORD [RIP+0x9600b20]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076e9f874 6 bytes {JMP QWORD [RIP+0x92807bc]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076e9fac0 6 bytes {JMP QWORD [RIP+0x93a0570]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ea0b74 6 bytes {JMP QWORD [RIP+0x931f4bc]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ea4d4d 5 bytes {JMP QWORD [RIP+0x929b2e4]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ea5010 6 bytes {JMP QWORD [RIP+0x94bb020]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ea5438 6 bytes {JMP QWORD [RIP+0x93dabf8]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ea6b50 6 bytes {JMP QWORD [RIP+0x93594e0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ea76e4 6 bytes {JMP QWORD [RIP+0x92d894c]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076eadd90 6 bytes {JMP QWORD [RIP+0x94522a0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076eae874 6 bytes {JMP QWORD [RIP+0x95917bc]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076eaf780 6 bytes {JMP QWORD [RIP+0x95508b0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076eb28e4 6 bytes {JMP QWORD [RIP+0x93ed74c]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!mouse_event 0000000076eb3894 6 bytes {JMP QWORD [RIP+0x922c79c]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076eb8a10 6 bytes {JMP QWORD [RIP+0x9487620]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076eb8be0 6 bytes {JMP QWORD [RIP+0x9367450]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076eb8c20 6 bytes {JMP QWORD [RIP+0x9247410]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SendInput 0000000076eb8cd0 6 bytes {JMP QWORD [RIP+0x9467360]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!BlockInput 0000000076ebad60 6 bytes {JMP QWORD [RIP+0x95652d0]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076ee14e0 6 bytes {JMP QWORD [RIP+0x95feb50]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!keybd_event 0000000076f045a4 6 bytes {JMP QWORD [RIP+0x91bba8c]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f0cc08 6 bytes {JMP QWORD [RIP+0x93d3428]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f0df18 6 bytes {JMP QWORD [RIP+0x9352118]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes JMP 0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP 0 .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\wininit.exe[612] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\services.exe[728] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\services.exe[728] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefec36bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076e96ef0 6 bytes {JMP QWORD [RIP+0x9509140]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076e98184 6 bytes {JMP QWORD [RIP+0x95e7eac]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SetParent 0000000076e98530 6 bytes {JMP QWORD [RIP+0x9527b00]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!PostMessageA 0000000076e9a404 6 bytes {JMP QWORD [RIP+0x92c5c2c]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!EnableWindow 0000000076e9aaa0 6 bytes {JMP QWORD [RIP+0x9625590]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!MoveWindow 0000000076e9aad0 6 bytes {JMP QWORD [RIP+0x9545560]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076e9c720 6 bytes {JMP QWORD [RIP+0x94e3910]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076e9cd50 6 bytes {JMP QWORD [RIP+0x95c32e0]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076e9d2b0 6 bytes {JMP QWORD [RIP+0x9302d80]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SendMessageA 0000000076e9d338 6 bytes {JMP QWORD [RIP+0x9342cf8]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076e9dc40 6 bytes {JMP QWORD [RIP+0x94223f0]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076e9f510 6 bytes {JMP QWORD [RIP+0x9600b20]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076e9f874 6 bytes {JMP QWORD [RIP+0x92807bc]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076e9fac0 6 bytes {JMP QWORD [RIP+0x93a0570]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ea0b74 6 bytes {JMP QWORD [RIP+0x931f4bc]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ea4d4d 5 bytes {JMP QWORD [RIP+0x929b2e4]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ea5010 6 bytes {JMP QWORD [RIP+0x94bb020]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ea5438 6 bytes {JMP QWORD [RIP+0x93dabf8]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ea6b50 6 bytes {JMP QWORD [RIP+0x93594e0]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ea76e4 6 bytes {JMP QWORD [RIP+0x92d894c]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076eadd90 6 bytes {JMP QWORD [RIP+0x94522a0]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076eae874 6 bytes {JMP QWORD [RIP+0x95917bc]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076eaf780 6 bytes {JMP QWORD [RIP+0x95508b0]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076eb28e4 6 bytes {JMP QWORD [RIP+0x93ed74c]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!mouse_event 0000000076eb3894 6 bytes {JMP QWORD [RIP+0x922c79c]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076eb8a10 6 bytes {JMP QWORD [RIP+0x9487620]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076eb8be0 6 bytes {JMP QWORD [RIP+0x9367450]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076eb8c20 6 bytes {JMP QWORD [RIP+0x9247410]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SendInput 0000000076eb8cd0 6 bytes {JMP QWORD [RIP+0x9467360]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!BlockInput 0000000076ebad60 6 bytes {JMP QWORD [RIP+0x95652d0]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076ee14e0 6 bytes {JMP QWORD [RIP+0x95feb50]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!keybd_event 0000000076f045a4 6 bytes {JMP QWORD [RIP+0x91bba8c]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f0cc08 6 bytes {JMP QWORD [RIP+0x93d3428]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f0df18 6 bytes {JMP QWORD [RIP+0x9352118]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Windows\system32\services.exe[728] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 0 .text C:\Windows\system32\services.exe[728] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\services.exe[728] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\lsass.exe[740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\lsass.exe[740] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Windows\system32\lsass.exe[740] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\lsm.exe[752] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\lsm.exe[752] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 1000100 .text C:\Windows\system32\lsm.exe[752] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\lsm.exe[752] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 238 .text C:\Windows\system32\lsm.exe[752] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefec36bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP 2cc2f0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[860] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 08] .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 10] .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x31dd64]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x33db70]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x35a450]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x2d7c98]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 8015000e .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x2f6cec]} .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[924] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x36ac20]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefec36bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP 434c2a91 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 1c85f0 .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 257c70 .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 300030 .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[540] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 2bd270 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 0 .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000076e96ef0 6 bytes {JMP QWORD [RIP+0x9509140]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000076e98184 6 bytes {JMP QWORD [RIP+0x95e7eac]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SetParent 0000000076e98530 6 bytes {JMP QWORD [RIP+0x9527b00]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!PostMessageA 0000000076e9a404 6 bytes {JMP QWORD [RIP+0x92c5c2c]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!EnableWindow 0000000076e9aaa0 6 bytes {JMP QWORD [RIP+0x9625590]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!MoveWindow 0000000076e9aad0 6 bytes {JMP QWORD [RIP+0x9545560]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!GetAsyncKeyState 0000000076e9c720 6 bytes {JMP QWORD [RIP+0x94e3910]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!RegisterHotKey 0000000076e9cd50 6 bytes {JMP QWORD [RIP+0x95c32e0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!PostThreadMessageA 0000000076e9d2b0 6 bytes {JMP QWORD [RIP+0x9302d80]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SendMessageA 0000000076e9d338 6 bytes {JMP QWORD [RIP+0x9342cf8]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SendNotifyMessageW 0000000076e9dc40 6 bytes {JMP QWORD [RIP+0x94223f0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SystemParametersInfoW 0000000076e9f510 6 bytes {JMP QWORD [RIP+0x9600b20]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076e9f874 6 bytes {JMP QWORD [RIP+0x92807bc]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 0000000076e9fac0 6 bytes {JMP QWORD [RIP+0x93a0570]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000076ea0b74 6 bytes {JMP QWORD [RIP+0x931f4bc]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000076ea4d4d 5 bytes {JMP QWORD [RIP+0x929b2e4]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!GetKeyState 0000000076ea5010 6 bytes {JMP QWORD [RIP+0x94bb020]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000076ea5438 6 bytes {JMP QWORD [RIP+0x93dabf8]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SendMessageW 0000000076ea6b50 6 bytes {JMP QWORD [RIP+0x93594e0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!PostMessageW 0000000076ea76e4 6 bytes {JMP QWORD [RIP+0x92d894c]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 0000000076eadd90 6 bytes {JMP QWORD [RIP+0x94522a0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!GetClipboardData 0000000076eae874 6 bytes {JMP QWORD [RIP+0x95917bc]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SetClipboardViewer 0000000076eaf780 6 bytes {JMP QWORD [RIP+0x95508b0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SendNotifyMessageA 0000000076eb28e4 6 bytes {JMP QWORD [RIP+0x93ed74c]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!mouse_event 0000000076eb3894 6 bytes {JMP QWORD [RIP+0x922c79c]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000076eb8a10 6 bytes {JMP QWORD [RIP+0x9487620]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000076eb8be0 6 bytes {JMP QWORD [RIP+0x9367450]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076eb8c20 6 bytes {JMP QWORD [RIP+0x9247410]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SendInput 0000000076eb8cd0 6 bytes {JMP QWORD [RIP+0x9467360]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!BlockInput 0000000076ebad60 6 bytes {JMP QWORD [RIP+0x95652d0]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000076ee14e0 6 bytes {JMP QWORD [RIP+0x95feb50]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!keybd_event 0000000076f045a4 6 bytes {JMP QWORD [RIP+0x91bba8c]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000076f0cc08 6 bytes {JMP QWORD [RIP+0x93d3428]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000076f0df18 6 bytes {JMP QWORD [RIP+0x9352118]} .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[472] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 550006 .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP fa904510 .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 8f0 .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 73007300 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes JMP 7e13769 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes JMP 19d980 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes JMP 948f028 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes JMP d7547f0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes JMP e87e600 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes JMP a23180 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes JMP f85080 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes JMP 927b121 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes JMP 2ed5c49 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes JMP e602331 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes JMP a093c61 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes JMP 429280 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes JMP 17580 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes JMP 1a880 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes JMP 9370911 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes JMP 1421580 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes JMP 1a4680 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes JMP 2d1b0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\System32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes JMP d94e55 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes JMP 48e80 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes JMP bd080 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes JMP 9057808 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 06] .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Windows\System32\svchost.exe[1068] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP ffffffff .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP ffffffff .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefec36bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 1 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 24656863 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\System32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\System32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP 10001 .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\System32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[1204] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[1260] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[1260] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1260] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1260] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\svchost.exe[1260] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076fcefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076ff99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077009640 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007702a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 75006800 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf301f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 7fe .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf301b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 9 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff1d7490 11 bytes JMP 000007fffcf30228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1508] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff1ebf00 7 bytes JMP 000007fffcf30260 .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 08] .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x33db70]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x35a450]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x2d7c98]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x2b7668]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x394648]} .text C:\Windows\system32\nvvsvc.exe[1516] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x36ac20]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 0 .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes JMP dba6b6c2 .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf301f0 .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf301b8 .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef7efdc88 5 bytes JMP 000007fff7cf00d8 .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef7efde10 5 bytes JMP 000007fff7cf0110 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1788] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 75006800 .text C:\Windows\Explorer.EXE[1808] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 10] .text C:\Windows\Explorer.EXE[1808] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x10add64]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x10cdb70]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x10ea450]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x2d7c98]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x2b7668]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x2f6cec]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x1124648]} .text C:\Windows\Explorer.EXE[1808] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x10fac20]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1964] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 9 .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 08] .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 10] .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefec36bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 1377af8 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP 64006f .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 33006d .text C:\Windows\system32\svchost.exe[1580] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd5da1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1912] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2064] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 08] .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf301f0 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf301b8 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff1d7490 11 bytes JMP 000007fffcf30228 .text C:\Windows\system32\taskeng.exe[2180] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff1ebf00 7 bytes JMP 000007fffcf30260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076fcefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076ff99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077009640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007702a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 08] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 10] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x10add64]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x10cdb70]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x10ea450]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x2d7c98]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x2b7668]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf301f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x2f6cec]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x1124648]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf301b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x10fac20]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff1d7490 11 bytes JMP 000007fffcf30228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2212] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff1ebf00 7 bytes JMP 000007fffcf30260 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 08] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 10] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x10add64]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x10cdb70]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x10ea450]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x2d7c98]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x2b7668]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x1124648]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2268] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x10fac20]} .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes [02, 71] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes [ED, 70] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes [F3, 70] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes [EA, 70] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes [F6, 70] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes [0E, 71] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes [F0, 70] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes [DE, 70] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes [11, 71] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes [FF, 70] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes [E7, 70] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes [E1, 70] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes [FC, 70] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes [E4, 70] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes [F9, 70] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes [08, 71] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes [05, 71] .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2408] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076fcefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076ff99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077009640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007702a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 08] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 10] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff1d7490 11 bytes JMP 000007fffcf30228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff1ebf00 7 bytes JMP 000007fffcf30260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x10add64]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x10cdb70]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x10ea450]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x2d7c98]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x2b7668]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf301f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x2f6cec]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x1124648]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf301b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2460] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x10fac20]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076fcefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076ff99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077009640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007702a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 08] .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 10] .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x10add64]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x10cdb70]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x10ea450]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x2d7c98]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x2b7668]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf301f0 .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x2f6cec]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x1124648]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf301b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x10fac20]} .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff1d7490 11 bytes JMP 000007fffcf30228 .text C:\Program Files\Elantech\ETDCtrl.exe[2516] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff1ebf00 7 bytes JMP 000007fffcf30260 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076fcefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076ff99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077009640 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007702a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 08] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 10] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x10add64]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x10cdb70]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x10ea450]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x2d7c98]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x2b7668]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf301f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x1124648]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf301b8 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x10fac20]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff1d7490 11 bytes JMP 000007fffcf30228 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2576] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff1ebf00 7 bytes JMP 000007fffcf30260 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076fcefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076ff99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077009640 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007702a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 08] .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 10] .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x10add64]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x10cdb70]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x10ea450]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 60007 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x2b7668]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf301f0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x1124648]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf301b8 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x10fac20]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff1d7490 11 bytes JMP 000007fffcf30228 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2584] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff1ebf00 7 bytes JMP 000007fffcf30260 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2628] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\svchost.exe[2676] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076fcefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076ff99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077009640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007702a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 08] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 10] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x10add64]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x10cdb70]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x10ea450]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP f5115078 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf301f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 7fe .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x1124648]} .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf301b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2724] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x10fac20]} .text C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe[2732] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076fcefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe[2732] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076ff99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe[2732] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe[2732] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077009640 5 bytes JMP 000000016fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe[2732] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007702a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe[2732] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe[2732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe[2732] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe[2732] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe[2732] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff1d7490 11 bytes JMP 000007fffcf30228 .text C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe[2732] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff1ebf00 7 bytes JMP 000007fffcf30260 .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 06] .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x10add64]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x10cdb70]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x10ea450]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x1124648]} .text C:\Windows\System32\hkcmd.exe[2932] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x10fac20]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076fcefe0 5 bytes JMP 000000016fff0148 .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076ff99b0 7 bytes JMP 000000016fff00d8 .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770094d0 5 bytes JMP 000000016fff0180 .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077009640 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007702a500 7 bytes JMP 000000016fff01b8 .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 08] .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 10] .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x10add64]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x10cdb70]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x10ea450]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x2d7c98]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x2b7668]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf301f0 .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x2f6cec]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x1124648]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf301b8 .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x10fac20]} .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff1d7490 11 bytes JMP 000007fffcf30228 .text C:\Windows\System32\igfxpers.exe[2940] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff1ebf00 7 bytes JMP 000007fffcf30260 .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf200d8 .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf20148 .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 0 .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf20180 .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf20110 .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 15] .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff1d7490 11 bytes JMP 000007fffcf20228 .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff1ebf00 7 bytes JMP 000007fffcf20260 .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x160dd64]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x162db70]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x174a450]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x2f7c98]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 0 .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf201f0 .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x15e6cec]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x1784648]} .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf201b8 .text C:\Program Files\Microsoft Security Client\msseces.exe[2948] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x175ac20]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2208] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1692] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2248] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes JMP 0 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076fcefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076ff99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077009640 5 bytes JMP 000000016fff0110 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007702a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 0E] .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes JMP ae3e2a0 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x1addd64]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x1afdb70]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x1b1a450]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 0 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf301f0 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x1aa6cec]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x1b54648]} .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf301b8 .text C:\Program Files\WapSter\WapSter AQQ\AQQ.exe[3252] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x1b2ac20]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076fcefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076ff99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077009640 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007702a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 75006800 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 10] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x10add64]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x10cdb70]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x10ea450]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP feef5690 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf301f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x2f6cec]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x1124648]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf301b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3432] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x10fac20]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x31dd64]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x33db70]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x35a450]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x2d7c98]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 620069 .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x2f6cec]} .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 0 .text C:\Windows\system32\SearchIndexer.exe[3792] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 0 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 00000000772a000c 1 byte [C3] .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007732f85a 5 bytes JMP 00000001772dd571 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Users\Piotrek\AppData\Roaming\Spotify\spotify.exe[3856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[3960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[3960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[3960] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\svchost.exe[3960] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\svchost.exe[3960] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3960] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\svchost.exe[3960] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\svchost.exe[3960] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\system32\svchost.exe[3960] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3960] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Users\Piotrek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[892] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[2788] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[2788] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 2a1dc0 .text C:\Windows\system32\svchost.exe[2788] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2788] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2788] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2788] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2788] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\svchost.exe[2788] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[2776] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[2776] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2776] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2776] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2776] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2776] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes JMP 1 .text C:\Windows\system32\svchost.exe[2776] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\system32\svchost.exe[2776] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes JMP 314648 .text C:\Windows\system32\svchost.exe[2776] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 0 .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Users\Piotrek\AppData\Roaming\Dropbox\bin\Dropbox.exe[4432] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4780] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4788] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2040] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\svchost.exe[3344] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\svchost.exe[3344] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3344] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\svchost.exe[3344] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [2620] entry point in ".rdata" section 000000006fde71e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772af991 7 bytes {MOV EDX, 0x778e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772afbd5 7 bytes {MOV EDX, 0x778e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772afc05 2 bytes [BA, A8] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 8 00000000772afc08 4 bytes {JA 0x2; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772afc1d 2 bytes [BA, 28] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 8 00000000772afc20 4 bytes {JA 0x2; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772afc35 7 bytes {MOV EDX, 0x778f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772afc65 7 bytes {MOV EDX, 0x778f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772afce5 7 bytes {MOV EDX, 0x778ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772afcfd 7 bytes {MOV EDX, 0x778ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772afd49 7 bytes {MOV EDX, 0x778c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772afe41 7 bytes {MOV EDX, 0x778ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772b0099 7 bytes {MOV EDX, 0x778c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772b10a5 2 bytes [BA, E8] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 8 00000000772b10a8 4 bytes {JA 0x2; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772b111d 2 bytes [BA, 68] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 8 00000000772b1120 4 bytes {JA 0x2; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772b1321 7 bytes {MOV EDX, 0x778ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772af991 7 bytes {MOV EDX, 0x6da628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772afbd5 7 bytes {MOV EDX, 0x6da668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772afc05 7 bytes {MOV EDX, 0x6da5a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772afc1d 7 bytes {MOV EDX, 0x6da528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772afc35 7 bytes {MOV EDX, 0x6da728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772afc65 7 bytes {MOV EDX, 0x6da768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772afce5 7 bytes {MOV EDX, 0x6da6e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772afcfd 7 bytes {MOV EDX, 0x6da6a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772afd49 7 bytes {MOV EDX, 0x6da468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772afe41 7 bytes {MOV EDX, 0x6da4a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772b0099 7 bytes {MOV EDX, 0x6da428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772b10a5 7 bytes {MOV EDX, 0x6da5e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772b111d 7 bytes {MOV EDX, 0x6da568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772b1321 7 bytes {MOV EDX, 0x6da4e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772af991 7 bytes {MOV EDX, 0x767228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772afbd5 7 bytes {MOV EDX, 0x767268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772afc05 7 bytes {MOV EDX, 0x7671a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772afc1d 7 bytes {MOV EDX, 0x767128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772afc35 7 bytes {MOV EDX, 0x767328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772afc65 7 bytes {MOV EDX, 0x767368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772afce5 7 bytes {MOV EDX, 0x7672e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772afcfd 7 bytes {MOV EDX, 0x7672a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772afd49 7 bytes {MOV EDX, 0x767068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772afe41 7 bytes {MOV EDX, 0x7670a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772b0099 7 bytes {MOV EDX, 0x767028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772b10a5 7 bytes {MOV EDX, 0x7671e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772b111d 7 bytes {MOV EDX, 0x767168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772b1321 7 bytes {MOV EDX, 0x7670e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772af991 7 bytes {MOV EDX, 0x649228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772afbd5 7 bytes {MOV EDX, 0x649268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772afc05 7 bytes {MOV EDX, 0x6491a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772afc1d 7 bytes {MOV EDX, 0x649128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772afc35 7 bytes {MOV EDX, 0x649328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772afc65 7 bytes {MOV EDX, 0x649368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772afce5 7 bytes {MOV EDX, 0x6492e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772afcfd 7 bytes {MOV EDX, 0x6492a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772afd49 7 bytes {MOV EDX, 0x649068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772afe41 7 bytes {MOV EDX, 0x6490a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772b0099 7 bytes {MOV EDX, 0x649028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772b10a5 7 bytes {MOV EDX, 0x6491e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772b111d 7 bytes {MOV EDX, 0x649168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772b1321 7 bytes {MOV EDX, 0x6490e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772af991 7 bytes {MOV EDX, 0x267a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772afbd5 7 bytes {MOV EDX, 0x267a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772afc05 7 bytes {MOV EDX, 0x2679a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772afc1d 7 bytes {MOV EDX, 0x267928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772afc35 7 bytes {MOV EDX, 0x267b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772afc65 7 bytes {MOV EDX, 0x267b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772afce5 7 bytes {MOV EDX, 0x267ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772afcfd 7 bytes {MOV EDX, 0x267aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772afd49 7 bytes {MOV EDX, 0x267868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772afe41 7 bytes {MOV EDX, 0x2678a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772b0099 7 bytes {MOV EDX, 0x267828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772b10a5 7 bytes {MOV EDX, 0x2679e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772b111d 7 bytes {MOV EDX, 0x267968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772b1321 7 bytes {MOV EDX, 0x2678e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772af991 7 bytes {MOV EDX, 0x64ba28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772afbd5 7 bytes {MOV EDX, 0x64ba68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772afc05 7 bytes {MOV EDX, 0x64b9a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772afc1d 7 bytes {MOV EDX, 0x64b928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772afc35 7 bytes {MOV EDX, 0x64bb28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772afc65 7 bytes {MOV EDX, 0x64bb68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772afce5 7 bytes {MOV EDX, 0x64bae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772afcfd 7 bytes {MOV EDX, 0x64baa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772afd49 7 bytes {MOV EDX, 0x64b868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772afe41 7 bytes {MOV EDX, 0x64b8a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772b0099 7 bytes {MOV EDX, 0x64b828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772b10a5 7 bytes {MOV EDX, 0x64b9e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772b111d 7 bytes {MOV EDX, 0x64b968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772b1321 7 bytes {MOV EDX, 0x64b8e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772af991 7 bytes {MOV EDX, 0xe8a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772afbd5 7 bytes {MOV EDX, 0xe8a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772afc05 7 bytes {MOV EDX, 0xe89a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772afc1d 7 bytes {MOV EDX, 0xe8928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772afc35 7 bytes {MOV EDX, 0xe8b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772afc65 7 bytes {MOV EDX, 0xe8b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772afce5 7 bytes {MOV EDX, 0xe8ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772afcfd 7 bytes {MOV EDX, 0xe8aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772afd49 7 bytes {MOV EDX, 0xe8868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772afe41 7 bytes {MOV EDX, 0xe88a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772b0099 7 bytes {MOV EDX, 0xe8828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772b10a5 7 bytes {MOV EDX, 0xe89e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772b111d 7 bytes {MOV EDX, 0xe8968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772b1321 7 bytes {MOV EDX, 0xe88e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes CALL 5b000038 .text C:\Windows\system32\cmd.exe[3408] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\cmd.exe[3408] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes JMP 445a16 .text C:\Windows\system32\cmd.exe[3408] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes JMP 0 .text C:\Windows\system32\cmd.exe[3408] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\cmd.exe[3408] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000770d3ae0 6 bytes {JMP QWORD [RIP+0x8f6c550]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077101400 6 bytes {JMP QWORD [RIP+0x8f1ec30]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771015d0 6 bytes {JMP QWORD [RIP+0x949ea60]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077101640 6 bytes {JMP QWORD [RIP+0x957e9f0]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077101680 6 bytes {JMP QWORD [RIP+0x953e9b0]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077101720 6 bytes {JMP QWORD [RIP+0x959e910]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771017b0 6 bytes {JMP QWORD [RIP+0x951e880]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771017f0 6 bytes {JMP QWORD [RIP+0x941e840]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077101840 6 bytes {JMP QWORD [RIP+0x943e7f0]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077101860 6 bytes {JMP QWORD [RIP+0x955e7d0]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077101a50 6 bytes {JMP QWORD [RIP+0x961e5e0]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077101b60 6 bytes {JMP QWORD [RIP+0x93fe4d0]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077101c30 6 bytes {JMP QWORD [RIP+0x94be400]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077101d80 6 bytes {JMP QWORD [RIP+0x95be2b0]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077101d90 6 bytes {JMP QWORD [RIP+0x95fe2a0]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077102100 6 bytes {JMP QWORD [RIP+0x94ddf30]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077102190 6 bytes {JMP QWORD [RIP+0x95ddea0]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077102a00 6 bytes {JMP QWORD [RIP+0x94fd630]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077102a80 6 bytes {JMP QWORD [RIP+0x945d5b0]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077102b00 6 bytes {JMP QWORD [RIP+0x947d530]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 0000000076f9a420 6 bytes {JMP QWORD [RIP+0x9105c10]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076fb1b50 6 bytes {JMP QWORD [RIP+0x90ae4e0]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077028810 6 bytes {JMP QWORD [RIP+0x9057820]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 06] .text C:\Windows\system32\conhost.exe[1976] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes [FF, 25, A0, AD, 0A] .text C:\Windows\system32\conhost.exe[1976] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes JMP 40050105 .text C:\Windows\system32\conhost.exe[1976] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\conhost.exe[1976] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcf43460 7 bytes JMP 000007fffcf300d8 .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf49940 6 bytes JMP 000007fffcf30148 .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49aa5 3 bytes [65, 65, 08] .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcf49fb0 5 bytes JMP 000007fffcf30180 .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcf4a150 5 bytes JMP 000007fffcf30110 .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf55290 5 bytes JMP 7f2e .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefd9122cc 6 bytes {JMP QWORD [RIP+0x29dd64]} .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\GDI32.dll!BitBlt 000007fefd9124c0 6 bytes {JMP QWORD [RIP+0x2bdb70]} .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefd915be0 6 bytes {JMP QWORD [RIP+0x2da450]} .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefd918398 6 bytes {JMP QWORD [RIP+0x257c98]} .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefd9189c8 6 bytes {JMP QWORD [RIP+0x237668]} .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd9189e0 8 bytes JMP 000007fffcf301f0 .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\GDI32.dll!GetPixel 000007fefd919344 6 bytes {JMP QWORD [RIP+0x276cec]} .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefd91b9e8 6 bytes {JMP QWORD [RIP+0x314648]} .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd91be40 8 bytes JMP 000007fffcf301b8 .text C:\Windows\system32\PING.EXE[4456] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefd925410 6 bytes {JMP QWORD [RIP+0x2eac20]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772af991 7 bytes {MOV EDX, 0x523628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772afbd5 7 bytes {MOV EDX, 0x523668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772afc05 7 bytes {MOV EDX, 0x5235a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772afc1d 7 bytes {MOV EDX, 0x523528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772afc35 7 bytes {MOV EDX, 0x523728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772afc65 7 bytes {MOV EDX, 0x523768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772afce5 7 bytes {MOV EDX, 0x5236e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772afcfd 7 bytes {MOV EDX, 0x5236a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772afd49 7 bytes {MOV EDX, 0x523468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772afe41 7 bytes {MOV EDX, 0x5234a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772b0099 7 bytes {MOV EDX, 0x523428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772b10a5 7 bytes {MOV EDX, 0x5235e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772b111d 7 bytes {MOV EDX, 0x523568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772b1321 7 bytes {MOV EDX, 0x5234e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772af991 7 bytes {MOV EDX, 0xcc628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772afbd5 7 bytes {MOV EDX, 0xcc668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772afc05 7 bytes {MOV EDX, 0xcc5a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772afc1d 7 bytes {MOV EDX, 0xcc528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772afc35 7 bytes {MOV EDX, 0xcc728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772afc65 7 bytes {MOV EDX, 0xcc768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772afce5 7 bytes {MOV EDX, 0xcc6e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772afcfd 7 bytes {MOV EDX, 0xcc6a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772afd49 7 bytes {MOV EDX, 0xcc468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772afe41 7 bytes {MOV EDX, 0xcc4a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772b0099 7 bytes {MOV EDX, 0xcc428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772b10a5 7 bytes {MOV EDX, 0xcc5e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772b111d 7 bytes {MOV EDX, 0xcc568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772b1321 7 bytes {MOV EDX, 0xcc4e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076b61429 7 bytes JMP 00000001724112ad .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076b7b223 5 bytes JMP 00000001724115be .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076bf88f4 7 bytes JMP 0000000172411357 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076bf8979 5 bytes JMP 00000001724116e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076bf8ccf 5 bytes JMP 0000000172411028 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076091d1b 5 bytes JMP 00000001724111ef .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076091dc9 5 bytes JMP 0000000172411023 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076092aa4 5 bytes JMP 000000017241156e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076092d0a 5 bytes JMP 0000000172411294 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e6e9a2 5 bytes JMP 00000001724115d7 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e6ebdc 5 bytes JMP 00000001724111b8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000172411050 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 00000001724110d2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f05ea5 5 bytes JMP 0000000172411609 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f39d0b 5 bytes JMP 0000000172411249 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000772af9c0 3 bytes JMP 71af000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000772af9c4 2 bytes JMP 71af000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772afc90 3 bytes JMP 7103000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000772afc94 2 bytes JMP 7103000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772afd44 3 bytes JMP 70ee000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000772afd48 2 bytes JMP 70ee000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000772afda8 3 bytes JMP 70f4000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000772afdac 2 bytes JMP 70f4000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000772afea0 3 bytes JMP 70eb000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000772afea4 2 bytes JMP 70eb000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000772aff84 3 bytes JMP 70f7000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000772aff88 2 bytes JMP 70f7000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000772affe4 3 bytes JMP 710f000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000772affe8 2 bytes JMP 710f000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000772b0064 3 bytes JMP 710c000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000772b0068 2 bytes JMP 710c000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772b0094 3 bytes JMP 70f1000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000772b0098 2 bytes JMP 70f1000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000772b0398 3 bytes JMP 70df000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000772b039c 2 bytes JMP 70df000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772b0530 3 bytes JMP 7112000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000772b0534 2 bytes JMP 7112000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000772b0674 3 bytes JMP 7100000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000772b0678 2 bytes JMP 7100000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000772b086c 3 bytes JMP 70e8000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000772b0870 2 bytes JMP 70e8000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772b0884 3 bytes JMP 70e2000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000772b0888 2 bytes JMP 70e2000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000772b0dd4 3 bytes JMP 70fd000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000772b0dd8 2 bytes JMP 70fd000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000772b0eb8 3 bytes JMP 70e5000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000772b0ebc 2 bytes JMP 70e5000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000772b1bc4 3 bytes JMP 70fa000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000772b1bc8 2 bytes JMP 70fa000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000772b1c94 3 bytes JMP 7109000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000772b1c98 2 bytes JMP 7109000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000772b1d6c 3 bytes JMP 7106000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000772b1d70 2 bytes JMP 7106000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000772d1217 6 bytes JMP 71a8000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076b5103d 6 bytes JMP 719c000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076b51072 6 bytes JMP 7199000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b7c9b5 6 bytes JMP 7193000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007608f776 6 bytes JMP 719f000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076092c91 4 bytes CALL 71ac0000 .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076208bff 6 bytes JMP 7160000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000762090d3 6 bytes JMP 711b000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076209679 6 bytes JMP 715a000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000762097d2 6 bytes JMP 7154000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 6 bytes JMP 716c000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007620efc9 3 bytes JMP 7121000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007620efcd 2 bytes JMP 7121000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762112a5 6 bytes JMP 7166000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007621291f 6 bytes JMP 7139000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SetParent 0000000076212d64 3 bytes JMP 7130000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076212d68 2 bytes JMP 7130000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076212da4 6 bytes JMP 7118000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076213698 3 bytes JMP 712d000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007621369c 2 bytes JMP 712d000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076213baa 6 bytes JMP 7169000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076213c61 6 bytes JMP 7163000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007621612e 6 bytes JMP 715d000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076216c30 6 bytes JMP 711e000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 6 bytes JMP 716f000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076217668 6 bytes JMP 7148000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000762176e0 6 bytes JMP 714e000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007621781f 6 bytes JMP 7157000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 6 bytes JMP 7172000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007621c4b6 3 bytes JMP 712a000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007621c4ba 2 bytes JMP 712a000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007622c112 6 bytes JMP 7145000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007622d0f5 6 bytes JMP 7142000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007622eb96 6 bytes JMP 7136000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007622ec68 3 bytes JMP 713c000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007622ec6c 2 bytes JMP 713c000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SendInput 000000007622ff4a 3 bytes JMP 713f000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007622ff4e 2 bytes JMP 713f000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076249f1d 6 bytes JMP 7124000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076251497 6 bytes JMP 7115000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!mouse_event 000000007626027b 6 bytes JMP 7175000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762602bf 6 bytes JMP 7178000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076266cfc 6 bytes JMP 7151000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076266d5d 6 bytes JMP 714b000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076267dd7 3 bytes JMP 7127000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076267ddb 2 bytes JMP 7127000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000762688eb 3 bytes JMP 7133000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000762688ef 2 bytes JMP 7133000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075e558b3 6 bytes JMP 7187000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075e55ea6 6 bytes JMP 7184000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075e57bcc 6 bytes JMP 7190000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000075e5b895 6 bytes JMP 717b000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000075e5c332 6 bytes JMP 7181000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075e5cbfb 6 bytes JMP 718a000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075e5e743 6 bytes JMP 718d000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000075e84646 6 bytes JMP 717e000a .text E:\Chrome-pobrane\syv15t6k.exe[5896] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075de2538 6 bytes JMP 7196000a ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [13f80eb70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryW] [13f80fa20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetModuleHandleA] [13f80fbf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryA] [13f80f9d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExW] [13f80faf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [13f80fd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExA] [13f80fa70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteObject] [13f80de30] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassA] [13f80ec50] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassW] [13f80eda0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSysColor] [13f80ddc0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSystemMetrics] [13f80eef0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHELL32.dll[USER32.dll!AdjustWindowRect] [13f80f470] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColorBrush] [13f80de90] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetScrollInfo] [13f80e140] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SystemParametersInfoW] [13f80f140] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DrawEdge] [13f80f640] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHELL32.dll[USER32.dll!AdjustWindowRectEx] [13f80f320] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollInfo] [13f80dfd0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollPos] [13f80df10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHELL32.dll[USER32.dll!CallWindowProcW] [13f80e1f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColor] [13f80ddc0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHELL32.dll[USER32.dll!RegisterClassW] [13f80eda0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SHELL32.dll[USER32.dll!FillRect] [13f80f590] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryExW] [13f80faf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [13f80fd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryA] [13f80f9d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryW] [13f80fa20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteObject] [13f80de30] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ole32.dll[USER32.dll!CallWindowProcW] [13f80e1f0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ole32.dll[USER32.dll!SystemParametersInfoW] [13f80f140] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSystemMetrics] [13f80eef0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSysColor] [13f80ddc0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ole32.dll[USER32.dll!RegisterClassW] [13f80eda0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryA] [13f80f9d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryW] [13f80fa20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [13f80fd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryExA] [13f80fa70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryW] [13f80fa20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateThread] [13f80eb70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryA] [13f80f9d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!RegisterClassW] [13f80eda0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!SystemParametersInfoW] [13f80f140] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSysColor] [13f80ddc0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSystemMetrics] [13f80eef0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\OLEAUT32.dll[GDI32.dll!DeleteObject] [13f80de30] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\version.DLL[KERNEL32.dll!LoadLibraryW] [13f80fa20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\version.DLL[KERNEL32.dll!GetProcAddress] [13f80fd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\version.DLL[KERNEL32.dll!LoadLibraryExW] [13f80faf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetProcAddress] [13f80fd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryA] [13f80f9d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExA] [13f80fa70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryW] [13f80fa20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!CreateThread] [13f80eb70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetModuleHandleA] [13f80fbf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!LoadLibraryExW] [13f80faf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\urlmon.dll[USER32.dll!SystemParametersInfoW] [13f80f140] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\urlmon.dll[USER32.dll!GetSystemMetrics] [13f80eef0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\urlmon.dll[USER32.dll!RegisterClassA] [13f80ec50] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\IMM32.dll[USER32.dll!SystemParametersInfoW] [13f80f140] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\IMM32.dll[USER32.dll!DrawEdge] [13f80f640] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\IMM32.dll[USER32.dll!GetSystemMetrics] [13f80eef0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!CreateThread] [13f80eb70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!GetProcAddress] [13f80fd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!LoadLibraryW] [13f80fa20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\IMM32.dll[GDI32.dll!DeleteObject] [13f80de30] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExW] [13f80faf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryExA] [13f80fa70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13f80f9d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!GetProcAddress] [13f80fd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!LoadLibraryExA] [13f80fa70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!LoadLibraryA] [13f80f9d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!GetModuleHandleA] [13f80fbf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!LoadLibraryExW] [13f80faf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!GetProcAddress] [13f80fd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!LoadLibraryW] [13f80fa20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SETUPAPI.dll[GDI32.dll!DeleteObject] [13f80de30] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!GetSysColor] [13f80ddc0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!GetSystemMetrics] [13f80eef0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!SystemParametersInfoW] [13f80f140] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\imagehlp.dll[KERNEL32.dll!LoadLibraryA] [13f80f9d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!CreateThread] [13f80eb70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!GetProcAddress] [13f80fd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExA] [13f80fa70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExW] [13f80faf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryW] [13f80fa20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryA] [13f80f9d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\System32\msxml3.dll[USER32.dll!RegisterClassW] [13f80eda0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!LoadLibraryExW] [13f80faf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!LoadLibraryW] [13f80fa20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!GetProcAddress] [13f80fd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!LoadLibraryExA] [13f80fa70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!LoadLibraryA] [13f80f9d0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!GetModuleHandleA] [13f80fbf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\PROPSYS.dll[USER32.dll!GetSystemMetrics] [13f80eef0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\System32\cscui.dll[USER32.dll!SystemParametersInfoW] [13f80f140] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\System32\cscui.dll[KERNEL32.dll!GetProcAddress] [13f80fd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\System32\cscui.dll[KERNEL32.dll!LoadLibraryW] [13f80fa20] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\System32\cscui.dll[KERNEL32.dll!LoadLibraryExA] [13f80fa70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Program Files\Internet Explorer\ieproxy.dll[KERNEL32.dll!LoadLibraryExA] [13f80fa70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Program Files\Internet Explorer\ieproxy.dll[KERNEL32.dll!LoadLibraryExW] [13f80faf0] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Program Files\Internet Explorer\ieproxy.dll[KERNEL32.dll!GetProcAddress] [13f80fd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!CreateThread] [13f80eb70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!GetProcAddress] [13f80fd10] C:\Program Files\COMODO\COMODO Internet Security\cis.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4988] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!LoadLibraryExA] [13f80fa70] C:\Program Files\COMODO\COMODO Internet Security\cis.exe ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4672:4932] 000007fefac82a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4672:3212] 000007fef4e25124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68b2699a Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68b2699a (not active ControlSet) ---- EOF - GMER 2.1 ----