GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-12-30 19:07:47 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000069 ST925031 rev.0002 232,89GB Running: m57g1hli.exe; Driver: C:\Users\user\AppData\Local\Temp\uwtdapob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800035b8000 45 bytes [00, 00, 20, 00, 49, 72, 70, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800035b802f 17 bytes [00, 30, 70, EA, 0B, 80, FA, ...] .text C:\Windows\System32\win32k.sys!XLATEOBJ_iXlate + 665 fffff9600011b85d 13 bytes {MOV RAX, 0xfffffa8008bac8c8; JMP RAX} .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000164300 7 bytes [00, A1, F3, FF, 41, B4, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000164308 3 bytes [00, 07, 02] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771a1360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771a1560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\services.exe[556] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\services.exe[556] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefecc3e80 6 bytes JMP 116078 .text C:\Windows\system32\services.exe[556] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefcd150a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007705f874 6 bytes {JMP QWORD [RIP+0x90407bc]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077064d4d 5 bytes {JMP QWORD [RIP+0x905b2e4]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077078c20 6 bytes {JMP QWORD [RIP+0x9007410]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\services.exe[556] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes JMP 73006f .text C:\Windows\system32\services.exe[556] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes JMP 547015f1 .text C:\Windows\system32\services.exe[556] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes JMP 5f0073 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Windows\system32\lsass.exe[564] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsass.exe[564] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\lsass.exe[564] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000b750a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Windows\system32\lsm.exe[572] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsm.exe[572] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\lsm.exe[572] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000da50a0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefecc3e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\svchost.exe[684] c:\windows\system32\SspiCli.dll!EncryptMessage 0000000000f450a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Windows\system32\nvvsvc.exe[812] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\nvvsvc.exe[812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\nvvsvc.exe[812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\nvvsvc.exe[812] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[812] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x467c98]} .text C:\Windows\system32\nvvsvc.exe[812] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x447658]} .text C:\Windows\system32\nvvsvc.exe[812] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefecc3e80 6 bytes JMP d45190 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000f150a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000f950a0 6 bytes {JMP QWORD [RIP+0x11af90]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[364] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[364] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\System32\svchost.exe[364] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes JMP f0100 .text C:\Windows\System32\svchost.exe[364] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes JMP 61004400 .text C:\Windows\System32\svchost.exe[364] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes JMP 1000253b .text C:\Windows\System32\svchost.exe[364] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 0000000000f950a0 6 bytes JMP e .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes [5F, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes [50, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes [53, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes [6B, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes [7D, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes [5C, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes [74, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes [7A, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes [6E, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes [71, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes [44, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes [59, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes [41, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes [56, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes [65, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes [62, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe[460] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes [3E, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes [5F, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes [47, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes [6B, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes [7D, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes [5C, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes [74, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes [6E, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes [71, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes [44, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes [59, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes [41, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes [56, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes [65, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes [62, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[348] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes JMP 78681 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes JMP 18d180 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes JMP 913e9f8 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes JMP 68a81 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes JMP 9996e38 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes JMP 6fb1601 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes JMP 2a22e81 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes JMP a700a8 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes JMP 450049 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes JMP 5fd33b9 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes JMP c00c3 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes JMP a799249 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes JMP 5852cea .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes JMP a799c61 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000010d50a0 6 bytes {JMP QWORD [RIP+0x17af90]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefecc3e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes JMP 64 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000010450a0 6 bytes {JMP QWORD [RIP+0x1caf90]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000e350a0 6 bytes {JMP QWORD [RIP+0x55af90]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x65dd64]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x467c98]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x447658]} .text C:\Windows\system32\nvvsvc.exe[1604] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x486cec]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1752] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefecc3e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000016150a0 6 bytes {JMP QWORD [RIP+0x17af90]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes [56, 71] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes [5F, 71] .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes [5C, 71] .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe[1876] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[1908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\Dwm.exe[1992] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes JMP 32416d0 .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[2028] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\Explorer.EXE[2028] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2028] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x467c98]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x447658]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x486cec]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007705f874 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[2028] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077064d4d 5 bytes {JMP QWORD [RIP+0x905b2e4]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077078c20 6 bytes {JMP QWORD [RIP+0x9007410]} .text C:\Windows\Explorer.EXE[2028] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefcd150a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x43dd64]} .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes JMP ffffffff .text C:\Windows\System32\spoolsv.exe[1040] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000023850a0 6 bytes {JMP QWORD [RIP+0xbaf90]} .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes [38, 71] .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 715e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 715e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 7149000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 7149000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 714f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 714f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7146000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7146000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes [75, 71] .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7152000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7152000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7167000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7167000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7137000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7137000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 717f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 717f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7173000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7173000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 7179000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 7179000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7170000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7170000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7143000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7143000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 7158000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 7158000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7140000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7140000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7155000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7155000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7164000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7164000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7161000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7161000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7182000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7185000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 7188000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes {JMP QWORD [RIP+0x718d001e]} .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7197000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7191000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7194000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe[2068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 712c000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 712c000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 714d000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 714d000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 7138000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 7138000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 713e000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 713e000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7135000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7135000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7141000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7141000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 7159000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 7159000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7156000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7156000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 713b000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 713b000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7126000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7126000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 714a000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 714a000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 715c000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 715c000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7132000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7132000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 7129000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 7129000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 7147000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 7147000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 712f000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 712f000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7144000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7144000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7153000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7153000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7150000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7150000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000754a8791 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\taskeng.exe[2276] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000022c50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 7125000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 7125000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 712e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 712e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 711f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 711f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 712b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 712b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 7122000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 7122000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7128000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7128000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes [77, 71] .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes [74, 71] .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes [7A, 71] .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x83dd64]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x467c98]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x447658]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2360] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x486cec]} .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[2668] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[2668] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2668] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2668] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\svchost.exe[2668] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000c850a0 6 bytes JMP 17ae90 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x66dd64]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x477c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x457658]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x646cec]} .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes [5F, 71] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes [47, 71] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes [6B, 71] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes [5C, 71] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes [74, 71] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes [6E, 71] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes [44, 71] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes [59, 71] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes [41, 71] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes [56, 71] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes [65, 71] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes [62, 71] .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe[2860] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Windows\system32\wbem\wmiprvse.exe[3052] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[3052] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\wbem\wmiprvse.exe[3052] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wbem\wmiprvse.exe[3052] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes JMP 19e4 .text C:\Windows\system32\wbem\wmiprvse.exe[3052] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\wbem\wmiprvse.exe[3052] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\wbem\wmiprvse.exe[3052] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\wbem\wmiprvse.exe[3052] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000015250a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1156] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1156] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1156] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1156] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x65dd64]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1156] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x467c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1156] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x447658]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1156] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x486cec]} .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes [4A, 71] .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes [47, 71] .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes [4D, 71] .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Windows\system32\wbem\unsecapp.exe[3124] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\wbem\unsecapp.exe[3124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\wbem\unsecapp.exe[3124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\wbem\unsecapp.exe[3124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x43dd64]} .text C:\Windows\system32\wbem\unsecapp.exe[3124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\wbem\unsecapp.exe[3124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\wbem\unsecapp.exe[3124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes JMP 238 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Windows\SysWOW64\ACEngSvr.exe[3456] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\SysWOW64\ACEngSvr.exe[3456] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\SysWOW64\ACEngSvr.exe[3456] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\SysWOW64\ACEngSvr.exe[3456] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\SysWOW64\ACEngSvr.exe[3456] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\SysWOW64\ACEngSvr.exe[3456] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\SysWOW64\ACEngSvr.exe[3456] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000010a50a0 6 bytes JMP 429c40 .text C:\Windows\System32\alg.exe[3904] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\System32\alg.exe[3904] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\alg.exe[3904] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\alg.exe[3904] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x43dd64]} .text C:\Windows\System32\alg.exe[3904] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\System32\alg.exe[3904] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\System32\alg.exe[3904] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\svchost.exe[2732] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[2732] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[2732] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes JMP 1000100 .text C:\Windows\system32\svchost.exe[2732] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2732] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2732] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes JMP 238 .text C:\Windows\system32\svchost.exe[2732] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000e050a0 6 bytes {JMP QWORD [RIP+0x4daf90]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x65dd64]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x467c98]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x447658]} .text C:\Program Files\Elantech\ETDCtrl.exe[3476] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x486cec]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x83dd64]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x467c98]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x447658]} .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[2384] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x486cec]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x65dd64]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x467c98]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x447658]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2976] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x486cec]} .text C:\Windows\WindowsMobile\wmdc.exe[3572] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\WindowsMobile\wmdc.exe[3572] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3572] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\WindowsMobile\wmdc.exe[3572] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x66dd64]} .text C:\Windows\WindowsMobile\wmdc.exe[3572] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x477c98]} .text C:\Windows\WindowsMobile\wmdc.exe[3572] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x457658]} .text C:\Windows\WindowsMobile\wmdc.exe[3572] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x646cec]} .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes [3E, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes [5F, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes [50, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes [47, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes [53, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes [6B, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes [4D, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes [38, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes [7D, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes [80, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes [5C, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes [74, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes [7A, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes [6E, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes [71, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes [44, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes [3B, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes [59, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes [41, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes [56, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes [65, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes [62, 71] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Dyn Updater\DynTray.exe[2616] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes [9B, 71] .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x83dd64]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x467c98]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x447658]} .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[4164] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x486cec]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[4176] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[4176] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\svchost.exe[4176] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes [68, 71] .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 711f000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 711f000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 712b000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 712b000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7128000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7128000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 712e000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 712e000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7119000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7119000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7125000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7125000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 711c000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 711c000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7122000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7122000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe[4308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes [AE, 71] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 7125000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 7125000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 712e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 712e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 711f000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 711f000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes [80, 71] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes [5C, 71] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 712b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 712b000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 7122000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 7122000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7128000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7128000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes [50, 71] .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.0\bin\TrayPopupE\TrayTipAgentE.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 7125000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 7125000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 712e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 712e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 711f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 711f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 712b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 712b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 7122000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 7122000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7128000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7128000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[2768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[2768] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\System32\svchost.exe[2768] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 0000000000dc50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes JMP ab6f .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[3008] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\System32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\AUDIODG.EXE[5940] C:\Windows\System32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x8ecc520]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x8e7ec90]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x91febc0]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x909eac0]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x917ea50]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x919e970]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8f9e900]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x901e8a0]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x903e850]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x915e830]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x923e640]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8f5e630]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90be460]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x8fbe420]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f7e3b0]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x8ffe380]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x8fde320]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x91be310]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x921e300]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x90ddf90]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x91ddf00]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x90fd690]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x905d610]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x907d590]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x91124b0]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x1fdd64]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes JMP 0 .text C:\Windows\system32\DllHost.exe[4212] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000050750a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000771a1370 6 bytes {JMP QWORD [RIP+0x8f7ecc0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x999ebc0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771a14d0 6 bytes {JMP QWORD [RIP+0x8f5eb60]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000771a14e0 6 bytes {JMP QWORD [RIP+0x91beb50]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x988eac0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x919ea50]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000771a1640 6 bytes {JMP QWORD [RIP+0x91de9f0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771a16b0 6 bytes {JMP QWORD [RIP+0x8ffe980]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x993e970]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8fde900]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x980e8a0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x982e850]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x917e830]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8efe630]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90de460]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x901e420]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f9e3b0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000771a1c90 6 bytes {JMP QWORD [RIP+0x915e3a0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x909e380]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x905e320]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x995e310]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x99be300]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000771a1d90 6 bytes {JMP QWORD [RIP+0x90fe2a0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x997df00]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771a2190 6 bytes {JMP QWORD [RIP+0x921dea0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771a21a0 6 bytes {JMP QWORD [RIP+0x91fde90]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771a21d0 6 bytes {JMP QWORD [RIP+0x903de60]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771a2240 6 bytes {JMP QWORD [RIP+0x8fbddf0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771a2290 6 bytes {JMP QWORD [RIP+0x907dda0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000771a27a0 6 bytes {JMP QWORD [RIP+0x90bd890]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000771a29c0 6 bytes {JMP QWORD [RIP+0x923d670]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x984d610]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x986d590]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 0000000076f362e0 6 bytes {JMP QWORD [RIP+0x90e9d50]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000076f43a20 6 bytes {JMP QWORD [RIP+0x913c610]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x98924b0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 0000000076fb16e0 6 bytes {JMP QWORD [RIP+0x908e950]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefcf48ef1 5 bytes {JMP QWORD [RIP+0xb7140]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[5672] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefeb5687c 6 bytes {JMP QWORD [RIP+0x5a97b4]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefeb58e30 6 bytes {JMP QWORD [RIP+0x627200]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefeb5995c 6 bytes {JMP QWORD [RIP+0x6066d4]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefeb599e4 6 bytes {JMP QWORD [RIP+0x50664c]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefeb59ac8 6 bytes {JMP QWORD [RIP+0x4e6568]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefeb5a51c 6 bytes {JMP QWORD [RIP+0x585b14]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefeb5a530 6 bytes {JMP QWORD [RIP+0x565b00]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefeb5a5b0 5 bytes [FF, 25, 80, 5A, 52] .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefeb5a5c4 6 bytes {JMP QWORD [RIP+0x545a6c]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefeb5bb28 6 bytes {JMP QWORD [RIP+0x5c4508]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefeb5bb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[5672] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefeb5bb40 2 bytes [5E, 00] .text C:\Windows\system32\svchost.exe[5672] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefecc3e80 6 bytes {JMP QWORD [RIP+0x4dc1b0]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x8add64]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x867c98]} .text C:\Windows\system32\svchost.exe[5672] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes JMP 200077 .text C:\Windows\system32\svchost.exe[5672] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x886cec]} .text C:\Windows\system32\svchost.exe[5672] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000016f50a0 6 bytes {JMP QWORD [RIP+0x7af90]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077173b10 6 bytes {JMP QWORD [RIP+0x92ac520]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 00000000771a1370 6 bytes {JMP QWORD [RIP+0x8f7ecc0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000771a13a0 6 bytes {JMP QWORD [RIP+0x925ec90]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00000000771a1470 6 bytes {JMP QWORD [RIP+0x999ebc0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 00000000771a14d0 6 bytes {JMP QWORD [RIP+0x8f5eb60]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 00000000771a14e0 6 bytes {JMP QWORD [RIP+0x91beb50]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771a1570 6 bytes {JMP QWORD [RIP+0x988eac0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771a15e0 6 bytes {JMP QWORD [RIP+0x919ea50]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771a1620 6 bytes {JMP QWORD [RIP+0x913ea10]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 00000000771a1640 6 bytes {JMP QWORD [RIP+0x91de9f0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771a16b0 6 bytes {JMP QWORD [RIP+0x8ffe980]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000771a16c0 6 bytes {JMP QWORD [RIP+0x993e970]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771a1730 6 bytes {JMP QWORD [RIP+0x8fde900]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771a1750 6 bytes {JMP QWORD [RIP+0x911e8e0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771a1790 6 bytes {JMP QWORD [RIP+0x980e8a0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771a17e0 6 bytes {JMP QWORD [RIP+0x982e850]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771a1800 6 bytes {JMP QWORD [RIP+0x917e830]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771a19f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00000000771a1a00 6 bytes {JMP QWORD [RIP+0x8efe630]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771a1b00 6 bytes {JMP QWORD [RIP+0x8f3e530]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000771a1bd0 6 bytes {JMP QWORD [RIP+0x90de460]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771a1c10 6 bytes {JMP QWORD [RIP+0x901e420]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771a1c80 6 bytes {JMP QWORD [RIP+0x8f9e3b0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 00000000771a1c90 6 bytes {JMP QWORD [RIP+0x915e3a0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 00000000771a1cb0 6 bytes {JMP QWORD [RIP+0x909e380]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771a1d10 6 bytes {JMP QWORD [RIP+0x905e320]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000771a1d20 6 bytes {JMP QWORD [RIP+0x995e310]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771a1d30 6 bytes {JMP QWORD [RIP+0x99be300]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 00000000771a1d90 6 bytes {JMP QWORD [RIP+0x90fe2a0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771a20a0 6 bytes {JMP QWORD [RIP+0x98bdf90]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000771a2130 6 bytes {JMP QWORD [RIP+0x997df00]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771a2190 6 bytes {JMP QWORD [RIP+0x921dea0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771a21a0 6 bytes {JMP QWORD [RIP+0x91fde90]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771a21d0 6 bytes {JMP QWORD [RIP+0x903de60]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771a2240 6 bytes {JMP QWORD [RIP+0x8fbddf0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771a2290 6 bytes {JMP QWORD [RIP+0x907dda0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000771a27a0 6 bytes {JMP QWORD [RIP+0x90bd890]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771a29a0 6 bytes {JMP QWORD [RIP+0x98dd690]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000771a29c0 6 bytes {JMP QWORD [RIP+0x923d670]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771a2a20 6 bytes {JMP QWORD [RIP+0x984d610]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771a2aa0 6 bytes {JMP QWORD [RIP+0x986d590]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 0000000076f362e0 6 bytes {JMP QWORD [RIP+0x90e9d50]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 0000000076f43a20 6 bytes {JMP QWORD [RIP+0x913c610]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076f4db80 6 bytes {JMP QWORD [RIP+0x98924b0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 0000000076fb16e0 6 bytes {JMP QWORD [RIP+0x908e950]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefcf48ef1 5 bytes {JMP QWORD [RIP+0xb7140]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefcf49055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[2520] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefcf553c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefeb5687c 6 bytes {JMP QWORD [RIP+0x5a97b4]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefeb58e30 6 bytes {JMP QWORD [RIP+0x627200]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefeb5995c 6 bytes {JMP QWORD [RIP+0x6066d4]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefeb599e4 6 bytes {JMP QWORD [RIP+0x50664c]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefeb59ac8 6 bytes {JMP QWORD [RIP+0x4e6568]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefeb5a51c 6 bytes {JMP QWORD [RIP+0x585b14]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefeb5a530 6 bytes {JMP QWORD [RIP+0x565b00]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefeb5a5b0 5 bytes [FF, 25, 80, 5A, 52] .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefeb5a5c4 6 bytes {JMP QWORD [RIP+0x545a6c]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefeb5bb28 6 bytes {JMP QWORD [RIP+0x5c4508]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefeb5bb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[2520] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefeb5bb40 2 bytes [5E, 00] .text C:\Windows\system32\svchost.exe[2520] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefecc3e80 6 bytes {JMP QWORD [RIP+0x4dc1b0]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefe9722cc 6 bytes {JMP QWORD [RIP+0x8add64]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefe978398 6 bytes {JMP QWORD [RIP+0x867c98]} .text C:\Windows\system32\svchost.exe[2520] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefe9789d8 6 bytes JMP 200077 .text C:\Windows\system32\svchost.exe[2520] C:\Windows\system32\GDI32.dll!GetPixel 000007fefe979344 6 bytes {JMP QWORD [RIP+0x886cec]} .text C:\Windows\system32\svchost.exe[2520] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000016f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtReplyPort 000000007734f994 3 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtReplyPort + 4 000000007734f998 2 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 7051000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 7051000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtRequestWaitReplyPort 000000007734fbc0 3 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtRequestWaitReplyPort + 4 000000007734fbc4 2 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtQueryVirtualMemory 000000007734fbd8 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtQueryVirtualMemory + 4 000000007734fbdc 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7068000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7068000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtFsControlFile 000000007734fdf8 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtFsControlFile + 4 000000007734fdfc 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007734fea8 3 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent + 4 000000007734feac 2 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 705a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 705a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 7074000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 7074000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7071000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7071000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateNamedPipeFile 00000000773507b4 3 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateNamedPipeFile + 4 00000000773507b8 2 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7057000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7057000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 704e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 704e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateWaitablePort 0000000077350934 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtCreateWaitablePort + 4 0000000077350938 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 7064000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 7064000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7054000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7054000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077350f70 3 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey + 4 0000000077350f74 2 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350f88 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys + 4 0000000077350f8c 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtOpenEventPair 0000000077350fd0 3 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtOpenEventPair + 4 0000000077350fd4 2 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077351078 3 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 4 000000007735107c 2 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000773510f0 3 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore + 4 00000000773510f4 2 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort 00000000773518c0 3 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 4 00000000773518c4 2 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7061000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7061000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime 0000000077351c14 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 4 0000000077351c18 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 706e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 706e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 706b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 706b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\kernel32.dll!RegOpenKeyExW 00000000754a22d1 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\kernel32.dll!GetPrivateProfileStringW 00000000754aea10 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\kernel32.dll!GetPrivateProfileStringA 00000000754b1814 6 bytes JMP 71a5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 70a8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 70a8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 70ab000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c82ab1 6 bytes JMP 70b1000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 7099000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\sechost.dll!SetServiceStatus 0000000074d34f9c 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\sechost.dll!I_ScValidatePnPService 0000000074d36b9d 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\sechost.dll!I_ScPnPGetServiceName 0000000074d37c40 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\sechost.dll!RegisterServiceCtrlHandlerW 0000000074d37d47 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\sechost.dll!RegisterServiceCtrlHandlerA 0000000074d37d64 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\sechost.dll!RegisterServiceCtrlHandlerExW 0000000074d37da8 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\sechost.dll!RegisterServiceCtrlHandlerExA 0000000074d37dc6 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\sechost.dll!StartServiceCtrlDispatcherA 0000000074d384eb 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\sechost.dll!StartServiceCtrlDispatcherW 0000000074d385b2 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\sechost.dll!NotifyServiceStatusChange 0000000074d3a0ff 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\SysWOW64\sechost.dll!NotifyServiceStatusChangeA 0000000074d3a11d 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\ADVAPI32.dll!StartServiceCtrlDispatcherW 000000007565a905 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\ADVAPI32.dll!RegisterServiceCtrlHandlerW 000000007565a91d 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\ADVAPI32.dll!RegisterServiceCtrlHandlerExW 000000007565a94d 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\ADVAPI32.dll!SetServiceStatus 000000007565c746 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\ADVAPI32.dll!RegisterServiceCtrlHandlerA 00000000756935cf 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\ADVAPI32.dll!RegisterServiceCtrlHandlerExA 00000000756935df 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\ADVAPI32.dll!StartServiceCtrlDispatcherA 000000007569365f 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!GetClassNameW 00000000751382a9 6 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075138a29 6 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!RegisterClassW 0000000075138a65 6 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000751398fd 6 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!UnregisterClassW 0000000075139f84 6 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!RegisterClassExW 000000007513b17d 6 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!GetClassInfoExW 000000007513b238 6 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!GetClassInfoW 000000007513b422 6 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!EnumWindows 000000007513d1cf 6 bytes JMP 70be000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007513d22e 6 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!RegisterClassExA 000000007513db98 6 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!UnregisterClassA 000000007513dced 6 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 707e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!FindWindowA 000000007513ffe6 6 bytes JMP 70c1000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000751400d9 6 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!EnumChildWindows 0000000075140e94 6 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!EnumThreadWindows 0000000075143961 6 bytes JMP 70bb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!RegisterClassA 000000007514434b 6 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!EnumDesktopWindows 0000000075145f53 6 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!GetClassInfoExA 000000007514695f 6 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!GetClassInfoA 0000000075146ade 6 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7081000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!GetClassNameA 00000000751479df 6 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 7084000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 000000007514b029 6 bytes JMP 7091000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 000000007514c63e 6 bytes JMP 7094000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 0000000075155246 6 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007515cbf3 6 bytes JMP 708c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 000000007515ce54 6 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007515cfca 6 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!GetShellWindow 000000007515e8a8 3 bytes JMP 71a2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!GetShellWindow + 4 000000007515e8ac 2 bytes JMP 71a2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!FindWindowExW 000000007515f588 6 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000751610a0 6 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000751610dc 6 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007517cb0c 6 bytes JMP 70d0000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007517ce64 6 bytes JMP 7089000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 709c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 70a5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 709f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 70a2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\SHELL32.dll!ShellExecuteExW 0000000076061e06 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\SHELL32.dll!SHOpenFolderAndSelectItems 000000007628534a 6 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007734f9e0 3 bytes JMP 71af000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007734f9e4 2 bytes JMP 71af000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 000000007734fb28 3 bytes JMP 713f000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 000000007734fb2c 2 bytes JMP 713f000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007734fcb0 3 bytes JMP 7160000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007734fcb4 2 bytes JMP 7160000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007734fd64 3 bytes JMP 714b000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007734fd68 2 bytes JMP 714b000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007734fdc8 3 bytes JMP 7151000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007734fdcc 2 bytes JMP 7151000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007734fec0 3 bytes JMP 7148000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007734fec4 2 bytes JMP 7148000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007734ff74 3 bytes JMP 7178000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 000000007734ff78 2 bytes JMP 7178000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007734ffa4 3 bytes JMP 7154000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007734ffa8 2 bytes JMP 7154000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077350004 3 bytes JMP 716c000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077350008 2 bytes JMP 716c000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077350084 3 bytes JMP 7169000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077350088 2 bytes JMP 7169000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773500b4 3 bytes JMP 714e000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000773500b8 2 bytes JMP 714e000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000773503b8 3 bytes JMP 7139000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000773503bc 2 bytes JMP 7139000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 00000000773503d0 3 bytes JMP 717e000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 00000000773503d4 2 bytes JMP 717e000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077350550 3 bytes JMP 7181000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077350554 2 bytes JMP 7181000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077350694 3 bytes JMP 715d000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077350698 2 bytes JMP 715d000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 00000000773506f4 3 bytes JMP 7175000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 00000000773506f8 2 bytes JMP 7175000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007735079c 3 bytes JMP 717b000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 00000000773507a0 2 bytes JMP 717b000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 00000000773507e4 3 bytes JMP 716f000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 00000000773507e8 2 bytes JMP 716f000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077350874 3 bytes JMP 7172000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077350878 2 bytes JMP 7172000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007735088c 3 bytes JMP 7145000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077350890 2 bytes JMP 7145000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773508a4 3 bytes JMP 713c000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000773508a8 2 bytes JMP 713c000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077350df4 3 bytes JMP 715a000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077350df8 2 bytes JMP 715a000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077350ed8 3 bytes JMP 7142000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077350edc 2 bytes JMP 7142000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077351be4 3 bytes JMP 7157000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077351be8 2 bytes JMP 7157000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077351cb4 3 bytes JMP 7166000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077351cb8 2 bytes JMP 7166000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077351d8c 3 bytes JMP 7163000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077351d90 2 bytes JMP 7163000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077371287 6 bytes JMP 71a8000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000754b3bbb 3 bytes JMP 719c000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000754b3bbf 2 bytes JMP 719c000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075c7f784 6 bytes JMP 719f000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075c82c9e 4 bytes CALL 71ac0000 .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007513ee09 6 bytes JMP 7184000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075147603 6 bytes JMP 7187000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007514835c 6 bytes JMP 718a000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000075f958b3 6 bytes JMP 7190000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075f97bcc 6 bytes JMP 7199000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000075f9cbfb 6 bytes JMP 7193000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000075f9e743 6 bytes JMP 7196000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074cf124e 6 bytes JMP 718d000a .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b71465 2 bytes [B7, 75] .text C:\Users\user\AppData\Local\Temp\7zO659B.tmp\m57g1hli.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b714bb 2 bytes [B7, 75] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes ---- EOF - GMER 2.1 ----