GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-05 19:00:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE3O 465,76GB Running: jbisp9fz.exe; Driver: C:\Users\Browar\AppData\Local\Temp\ufdiipob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800047f8000 63 bytes [43, 4D, 33, 31, 05, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 593 fffff800047f8041 12 bytes [90, F5, 09, A0, F8, FF, FF, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077561360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077561560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077561360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077561560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\services.exe[688] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\system32\services.exe[688] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\system32\services.exe[688] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\system32\services.exe[688] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 0 .text C:\Windows\system32\services.exe[688] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes JMP a2750 .text C:\Windows\system32\services.exe[688] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff274750 6 bytes {JMP QWORD [RIP+0x17b8e0]} .text C:\Windows\system32\services.exe[688] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd1250a0 6 bytes JMP 0 .text C:\Windows\system32\services.exe[688] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007741f874 6 bytes {JMP QWORD [RIP+0x8cc07bc]} .text C:\Windows\system32\services.exe[688] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077424d4d 5 bytes {JMP QWORD [RIP+0x8cdb2e4]} .text C:\Windows\system32\services.exe[688] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077438c20 6 bytes {JMP QWORD [RIP+0x8c87410]} .text C:\Windows\system32\services.exe[688] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2cdd60]} .text C:\Windows\system32\services.exe[688] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x287cac]} .text C:\Windows\system32\services.exe[688] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x26766c]} .text C:\Windows\system32\services.exe[688] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x2a6cf4]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\lsass.exe[704] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsass.exe[704] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff0fa6f0 6 bytes {JMP QWORD [RIP+0x2a5940]} .text C:\Windows\system32\lsass.exe[704] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff120c10 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[704] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000ac50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 9000027 .text C:\Windows\system32\lsm.exe[712] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsm.exe[712] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\system32\lsm.exe[712] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[712] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000df50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff274750 6 bytes {JMP QWORD [RIP+0x17b8e0]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2cdd60]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x287cac]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x26766c]} .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x2a6cf4]} .text C:\Windows\system32\svchost.exe[864] c:\windows\system32\SspiCli.dll!EncryptMessage 0000000000de50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff274750 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x287cac]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x26766c]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x2a6cf4]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff0fa6f0 6 bytes {JMP QWORD [RIP+0x2a5940]} .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff120c10 6 bytes JMP 1ca .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000e750a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\System32\svchost.exe[500] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[500] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[500] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 80000068 .text C:\Windows\System32\svchost.exe[500] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 80006 .text C:\Windows\System32\svchost.exe[500] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 0000000000fd50a0 6 bytes {JMP QWORD [RIP+0x8af90]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes JMP c000c .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes JMP 469e80 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes JMP 100010 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes JMP 1d07ee9 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes JMP 170017 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes JMP 33005c .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes JMP 4c3f140 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes JMP 1d07ee9 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes JMP 2b9a434 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes JMP 1f001f .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes JMP 6404961 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes JMP 8c7e488 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes JMP baadf00d .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes JMP 43f4434 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes JMP 7b3f511 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes JMP 1012d05 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes JMP 976fba8 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes JMP 9f78351 .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes JMP a3bd050 .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes JMP 7c3881 .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes JMP 6081 .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 300030 .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 88000075 .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff0fa6f0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff120c10 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\System32\SspiCli.dll!EncryptMessage 0000000000f250a0 6 bytes {JMP QWORD [RIP+0x11af90]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\system32\svchost.exe[488] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[488] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[488] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[488] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 9000004f .text C:\Windows\system32\svchost.exe[488] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[488] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[488] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000fd50a0 6 bytes {JMP QWORD [RIP+0xdaf90]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff274750 6 bytes {JMP QWORD [RIP+0x17b8e0]} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 690057 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 7fe .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff0fa6f0 6 bytes JMP fddf6db0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff120c10 6 bytes JMP 6c0064 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000fb50a0 6 bytes {JMP QWORD [RIP+0xeaf90]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000dc50a0 6 bytes {JMP QWORD [RIP+0x18af90]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff0fa6f0 6 bytes {JMP QWORD [RIP+0x2a5940]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff120c10 6 bytes {JMP QWORD [RIP+0x29f420]} .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000e550a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 0 .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 0 .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 900000df .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 0 .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff0fa6f0 6 bytes JMP 720062 .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff120c10 6 bytes JMP 200077 .text C:\Windows\system32\FBAgent.exe[1412] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000cd50a0 6 bytes {JMP QWORD [RIP+0xc6af90]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1480] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd5f2db0 5 bytes JMP 000007fffd5e0180 .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5f37d0 7 bytes JMP 000007fffd5e00d8 .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd5f8ef0 6 bytes JMP 000007fffd5e0148 .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 9000027 .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0E] .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd60af60 5 bytes JMP 000007fffd5e0110 .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 40821bdf .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff1989e0 8 bytes JMP 000007fffd5e01f0 .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff19be40 8 bytes JMP 000007fffd5e01b8 .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef94ddc88 5 bytes JMP 000007fff92d00d8 .text C:\Windows\system32\Dwm.exe[1640] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef94dde10 5 bytes JMP 000007fff92d0110 .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[1664] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes JMP 7ed1 .text C:\Windows\Explorer.EXE[1664] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1664] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1664] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1664] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1664] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007741f874 6 bytes {JMP QWORD [RIP+0x8cc07bc]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077424d4d 5 bytes {JMP QWORD [RIP+0x8cdb2e4]} .text C:\Windows\Explorer.EXE[1664] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077438c20 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1664] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd1250a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 9000027 .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0E] .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x30dd60]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x2c7cac]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x2a766c]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x2e6cf4]} .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000021b50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 79000026 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff0fa6f0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff120c10 6 bytes JMP 50ccc0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000025150a0 6 bytes {JMP QWORD [RIP+0x13af90]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff274750 6 bytes {JMP QWORD [RIP+0x17b8e0]} .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff0fa6f0 6 bytes JMP 610063 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff120c10 6 bytes JMP e .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000f650a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 9000027 .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\system32\taskeng.exe[1912] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000020d50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes [65, 71] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes [56, 71] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes [4D, 71] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes [59, 71] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes [71, 71] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes [62, 71] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes [4A, 71] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes [5F, 71] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes [47, 71] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes [5C, 71] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes [6B, 71] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes [68, 71] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes [FF, 25, 1E, 00, A7] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007595103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075951072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2024] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007597c965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes JMP 0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 6b0361 .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\SysWOW64\ACEngSvr.exe[2100] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 0 .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Windows\AsScrPro.exe[2316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0E] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 330030 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 1cf50e3 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2416] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 0 .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\System32\igfxtray.exe[2484] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x30dd60]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x2c7cac]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x2a766c]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x2e6cf4]} .text C:\Program Files\Rainlendar2\Rainlendar2.exe[2492] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000020d50a0 6 bytes {JMP QWORD [RIP+0x48af90]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 9000027 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATIILE.EXE[2500] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000021350a0 6 bytes {JMP QWORD [RIP+0x9af90]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP fdc02538 .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 5c0073 .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 0 .text C:\Windows\system32\hkcmd.exe[2568] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 7fe .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes [5F, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes [47, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes [6B, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 713c000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 713c000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 716f000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 716f000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes [5C, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes [44, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 713f000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 713f000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes [59, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes [41, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes [56, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes [65, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes [62, 71] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2800] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0E] .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\system32\igfxpers.exe[2828] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2896] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000e650a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\system32\EscSvc64.exe[2968] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0E] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1292] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff0fa6f0 6 bytes JMP 0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff120c10 6 bytes {JMP QWORD [RIP+0x29f420]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3084] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000003fa50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3132] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3132] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3132] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes JMP 5d24 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3132] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3132] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3132] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 2a1c09 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3132] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff0fa6f0 6 bytes JMP 3244 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3132] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007feff120c10 6 bytes JMP 55002d .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3480] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 9000004c .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\system32\SearchIndexer.exe[3888] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000fd50a0 6 bytes JMP b3e7 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[4092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Windows\system32\svchost.exe[5068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 20000000 .text C:\Windows\system32\svchost.exe[5068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[5068] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\system32\svchost.exe[5068] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\system32\svchost.exe[5068] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\system32\svchost.exe[5068] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\system32\svchost.exe[5068] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000db50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\system32\KERNEL32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\system32\KERNEL32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 79000026 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2672] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0E] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2004] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 79000026 .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0E] .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Windows\system32\nvvsvc.exe[4956] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes [B5, 6F, 06] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes {JMP QWORD [RIP+0x24766c]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4980] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077533b10 6 bytes {JMP QWORD [RIP+0x8b0c520]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000775613a0 6 bytes {JMP QWORD [RIP+0x8abec90]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077561570 6 bytes {JMP QWORD [RIP+0x8c5eac0]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000775615e0 6 bytes {JMP QWORD [RIP+0x8d3ea50]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077561620 6 bytes {JMP QWORD [RIP+0x8cfea10]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000775616c0 6 bytes {JMP QWORD [RIP+0x8d5e970]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077561750 6 bytes {JMP QWORD [RIP+0x8cde8e0]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077561790 6 bytes {JMP QWORD [RIP+0x8bde8a0]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775617e0 6 bytes {JMP QWORD [RIP+0x8bfe850]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077561800 6 bytes {JMP QWORD [RIP+0x8d1e830]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000775619f0 6 bytes {JMP QWORD [RIP+0x8dde640]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077561b00 6 bytes {JMP QWORD [RIP+0x8bbe530]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077561bd0 6 bytes {JMP QWORD [RIP+0x8c7e460]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077561d20 6 bytes {JMP QWORD [RIP+0x8d7e310]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077561d30 6 bytes {JMP QWORD [RIP+0x8dbe300]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775620a0 6 bytes {JMP QWORD [RIP+0x8c9df90]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077562130 6 bytes {JMP QWORD [RIP+0x8d9df00]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775629a0 6 bytes {JMP QWORD [RIP+0x8cbd690]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077562a20 6 bytes {JMP QWORD [RIP+0x8c1d610]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077562aa0 6 bytes {JMP QWORD [RIP+0x8c3d590]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000772fa420 6 bytes {JMP QWORD [RIP+0x8da5c10]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077311b50 6 bytes {JMP QWORD [RIP+0x8d4e4e0]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077388810 6 bytes {JMP QWORD [RIP+0x8cf7820]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd5f9055 3 bytes CALL 79000026 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd6053c0 5 bytes [FF, 25, 70, AC, 0E] .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff1922d0 6 bytes {JMP QWORD [RIP+0x2add60]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff198384 6 bytes {JMP QWORD [RIP+0x267cac]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff1989c4 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\system32\GDI32.dll!GetPixel 000007feff19933c 6 bytes {JMP QWORD [RIP+0x286cf4]} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000015950a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007770f9e0 3 bytes JMP 71af000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007770f9e4 2 bytes JMP 71af000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007770fcb0 3 bytes JMP 7166000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007770fcb4 2 bytes JMP 7166000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007770fd64 3 bytes JMP 7151000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007770fd68 2 bytes JMP 7151000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007770fdc8 3 bytes JMP 7157000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007770fdcc 2 bytes JMP 7157000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007770fec0 3 bytes JMP 714e000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007770fec4 2 bytes JMP 714e000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007770ffa4 3 bytes JMP 715a000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007770ffa8 2 bytes JMP 715a000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077710004 3 bytes JMP 7172000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077710008 2 bytes JMP 7172000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077710084 3 bytes JMP 716f000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077710088 2 bytes JMP 716f000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777100b4 3 bytes JMP 7154000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777100b8 2 bytes JMP 7154000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000777103b8 3 bytes JMP 7142000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000777103bc 2 bytes JMP 7142000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077710550 3 bytes JMP 7175000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077710554 2 bytes JMP 7175000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077710694 3 bytes JMP 7163000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077710698 2 bytes JMP 7163000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007771088c 3 bytes JMP 714b000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077710890 2 bytes JMP 714b000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000777108a4 3 bytes JMP 7145000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000777108a8 2 bytes JMP 7145000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077710df4 3 bytes JMP 7160000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077710df8 2 bytes JMP 7160000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077710ed8 3 bytes JMP 7148000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077710edc 2 bytes JMP 7148000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077711be4 3 bytes JMP 715d000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077711be8 2 bytes JMP 715d000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077711cb4 3 bytes JMP 716c000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077711cb8 2 bytes JMP 716c000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077711d8c 3 bytes JMP 7169000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077711d90 2 bytes JMP 7169000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077731287 5 bytes JMP 71a8000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007595103d 6 bytes JMP 719c000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075951072 6 bytes JMP 7199000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007597c965 6 bytes JMP 7190000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007542f776 6 bytes JMP 719f000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075432c91 4 bytes CALL 71ac0000 .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007720ee09 6 bytes JMP 7178000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077217603 6 bytes JMP 717b000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007721835c 6 bytes JMP 717e000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000758658b3 6 bytes JMP 7184000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075867bcc 6 bytes JMP 718d000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007586cbfb 6 bytes JMP 7187000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007586e743 6 bytes JMP 718a000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000769f2642 6 bytes JMP 7196000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000769f5429 6 bytes JMP 7193000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007513124e 6 bytes JMP 7181000a .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text D:\Programy\jbisp9fz.exe[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\LPK.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\LPK.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollInfo] [1401caa20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetScrollPos] [1401ca960] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!EnableScrollBar] [1401caad0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetScrollInfo] [1401cab90] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DrawFrameControl] [1401cbfb0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetScrollInfo] [1401cab90] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHELL32.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollInfo] [1401caa20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetScrollPos] [1401ca960] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHELL32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHELL32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHELL32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\SHELL32.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ole32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ole32.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ole32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ole32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ole32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ole32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\OLEAUT32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\WINMM.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\WINMM.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\WINMM.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\WINMM.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\WINMM.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\WINMM.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\WINMM.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\WINMM.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\WINMM.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\IMM32.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\IMM32.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\IMM32.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\IMM32.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[KERNEL32.dll!GetModuleHandleA] [1401cc4d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[USER32.dll!RegisterClassA] [1401cb6a0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_2b25b14c71ebf230\gdiplus.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[USER32.dll!GetSysColor] [1401ca810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[USER32.dll!DrawEdge] [1401cbf20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[USER32.dll!GetSysColorBrush] [1401ca8e0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[USER32.dll!DefFrameProcW] [1401cb110] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[USER32.dll!DrawMenuBar] [1401cc050] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[USER32.dll!AdjustWindowRectEx] [1401cbd20] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[USER32.dll!CallWindowProcW] [1401cac40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[USER32.dll!FillRect] [1401cbe70] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\uxtheme.dll[GDI32.dll!DeleteObject] [1401ca880] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryExW] [1401cc3d0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryW] [1401cc300] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\System32\msxml3.dll[KERNEL32.dll!LoadLibraryA] [1401cc2b0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\System32\msxml3.dll[USER32.dll!RegisterClassW] [1401cb7f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\dwmapi.dll[USER32.dll!SystemParametersInfoW] [1401cbb40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\dwmapi.dll[USER32.dll!GetSystemMetrics] [1401cb940] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\dwmapi.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\dwmapi.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!CreateThread] [1401cb5c0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!GetProcAddress] [1401cc5f0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2468] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!LoadLibraryExA] [1401cc350] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f74218 Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f74218 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----