GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-22 06:29:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0 HGST_HTS545050A7E380 rev.GG2OACD0 465,76GB Running: yyd1x589.exe; Driver: C:\TMP\pgncrfob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003203000 23 bytes [4C, 89, 32, 49, 2B, CD, 48, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 552 fffff80003203018 3 bytes [C1, E0, 03] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8c7e8e0]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8b3e320]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\system32\services.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\system32\services.exe[716] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Windows\system32\services.exe[716] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\services.exe[716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Windows\system32\services.exe[716] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Windows\system32\services.exe[716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Windows\system32\services.exe[716] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8c7e8e0]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8b3e320]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\system32\lsass.exe[768] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL 9000027 .text C:\Windows\system32\lsass.exe[768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\lsass.exe[768] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8c7e8e0]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8b3e320]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8c7e8e0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8b3e320]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff953e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8c7e8e0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8b3e320]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Windows\system32\svchost.exe[588] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8c7e8e0]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8b3e320]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes JMP 8443ba0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes JMP 6bac6c1d .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes JMP 6ac0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes JMP 8d529b0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes JMP 976dc98 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes JMP 8ae5511 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes JMP 2cc0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes JMP 8ade011 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes JMP 8ae5511 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes JMP 96bbc51 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes JMP 3d5c0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes JMP 8c22ea8 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes JMP 8cc7051 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes JMP 9fac0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes JMP 8ae4b11 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes JMP 22b5c0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes JMP 4712a50 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes JMP 10132df .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes JMP 96bde91 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes JMP 10dbf81 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes JMP 9771090 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes JMP 9747d80 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes JMP b5c0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes JMP 9747330 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes JMP 8bb6068 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes JMP 9799568 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes JMP 24e031a .text C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes JMP e590879 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes JMP 6210882 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes JMP 7184a31 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes JMP 20c580 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL 9000027 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[1060] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\System32\SspiCli.dll!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8c7e8e0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8b3e320]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8c7e8e0]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8b3e320]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff953e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x21a440]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes JMP 0 .text C:\Windows\system32\atieclxx.exe[1488] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x233750]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8c7e8e0]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8b3e320]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff953e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x21a440]} .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes JMP 0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes JMP b .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes {JMP QWORD [RIP+0x394638]} .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x233750]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000077b013e0 5 bytes JMP 0000000077cb0016 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile 0000000077b01600 5 bytes JMP 0000000077cc0016 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes JMP 4748bb78 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes JMP ff412f25 .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes JMP ff050304 .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000779b6ef0 6 bytes {JMP QWORD [RIP+0x8a89140]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000779b8184 6 bytes {JMP QWORD [RIP+0x8b67eac]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SetParent 00000000779b8530 6 bytes {JMP QWORD [RIP+0x8aa7b00]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000779b9bcc 6 bytes {JMP QWORD [RIP+0x8806464]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!PostMessageA 00000000779ba404 6 bytes {JMP QWORD [RIP+0x8845c2c]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!EnableWindow 00000000779baaa0 6 bytes JMP 24bc8b48 .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!MoveWindow 00000000779baad0 6 bytes {JMP QWORD [RIP+0x8ac5560]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000779bc720 6 bytes {JMP QWORD [RIP+0x8a63910]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000779bcd50 6 bytes JMP 4c18349 .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000779bd2b0 6 bytes {JMP QWORD [RIP+0x8882d80]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SendMessageA 00000000779bd338 6 bytes {JMP QWORD [RIP+0x88c2cf8]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000779bdc40 6 bytes {JMP QWORD [RIP+0x89a23f0]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000779bf510 6 bytes JMP 15ffcc8b .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000779bf874 6 bytes {JMP QWORD [RIP+0x87c07bc]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000779bfac0 6 bytes {JMP QWORD [RIP+0x8920570]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000779c0b74 6 bytes {JMP QWORD [RIP+0x889f4bc]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000779c33b0 6 bytes {JMP QWORD [RIP+0x881cc80]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000779c4d4d 5 bytes {JMP QWORD [RIP+0x87db2e4]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!GetKeyState 00000000779c5010 6 bytes {JMP QWORD [RIP+0x8a3b020]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000779c5438 6 bytes {JMP QWORD [RIP+0x895abf8]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SendMessageW 00000000779c6b50 6 bytes {JMP QWORD [RIP+0x88d94e0]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!PostMessageW 00000000779c76e4 6 bytes {JMP QWORD [RIP+0x885894c]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000779cdd90 6 bytes {JMP QWORD [RIP+0x89d22a0]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!GetClipboardData 00000000779ce874 6 bytes {JMP QWORD [RIP+0x8b117bc]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000779cf780 6 bytes {JMP QWORD [RIP+0x8ad08b0]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000779d28e4 6 bytes {JMP QWORD [RIP+0x896d74c]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!mouse_event 00000000779d3894 6 bytes {JMP QWORD [RIP+0x876c79c]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000779d8a10 6 bytes {JMP QWORD [RIP+0x8a07620]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000779d8be0 6 bytes {JMP QWORD [RIP+0x88e7450]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000779d8c20 6 bytes {JMP QWORD [RIP+0x8787410]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SendInput 00000000779d8cd0 6 bytes {JMP QWORD [RIP+0x89e7360]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!BlockInput 00000000779dad60 6 bytes {JMP QWORD [RIP+0x8ae52d0]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!ExitWindowsEx 0000000077a014e0 6 bytes JMP 2c7f640 .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!keybd_event 0000000077a245a4 6 bytes {JMP QWORD [RIP+0x86fba8c]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 0000000077a2cc08 6 bytes {JMP QWORD [RIP+0x8953428]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\USER32.dll!SendMessageCallbackA 0000000077a2df18 6 bytes {JMP QWORD [RIP+0x88d2118]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\SHELL32.dll!SHFileOperationW 000007fefe288f8c 5 bytes [FF, 25, A4, 70, D9] .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\SHELL32.dll!SHFileOperation 000007fefe4a1fb4 6 bytes {JMP QWORD [RIP+0xb5e07c]} .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000077b013e0 5 bytes JMP 0000000077cb0016 .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile 0000000077b01600 5 bytes JMP 0000000077cc0016 .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8c7e8e0]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b017d0 5 bytes JMP 0000000077ca0016 .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8b3e320]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b01d80 5 bytes JMP 0000000077c90016 .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x21a440]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes JMP c45c5470 .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x233750]} .text C:\Windows\system32\taskhost.exe[1880] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes [AE, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes [B7, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes [D8, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes [C3, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes [C9, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes [C0, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes [F0, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes [CC, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes [E4, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes [C6, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes [B1, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes [F6, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes [F9, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes [D5, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes [ED, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes [F3, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes [E7, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes [EA, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes [BD, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes [B4, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes [D2, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes [BA, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes [CF, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes [DE, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes [DB, 70] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757e3bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000757e3bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757e9aa4 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000757f3b62 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757fccd1 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007584dbde 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007584dc81 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 000000007584dc85 2 bytes [7D, 71] .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8c7e8e0]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8b3e320]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x21a440]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes JMP 394648 .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x233750]} .text C:\Program Files\Diskeeper Corporation\ExpressCache\ExpressCache.exe[2068] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70b2000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70b2000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes [D2, 70] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70be000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70be000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70c4000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70c4000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes [BA, 70] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 70eb000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 70eb000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70c7000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70c7000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes [DE, 70] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70dc000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70dc000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70c1000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70c1000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70ac000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70ac000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 70f1000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 70f1000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 70f4000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 70f4000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes [CF, 70] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes [E7, 70] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 70ee000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 70ee000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes [E1, 70] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 70e5000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 70e5000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes [B7, 70] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70af000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70af000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes [CC, 70] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes [B4, 70] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes [C9, 70] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes [D8, 70] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes [D5, 70] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757e3bbb 3 bytes JMP 719c000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000757e3bbf 2 bytes JMP 719c000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757e9aa4 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000757f3b62 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757fccd1 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007584dbde 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007584dc81 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 000000007584dc85 2 bytes [77, 71] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007739f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000773a2c9e 4 bytes CALL 71ac0000 .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076f88332 6 bytes JMP 714e000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076f88bff 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076f890d3 6 bytes {JMP QWORD [RIP+0x70fc001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076f89679 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076f897d2 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f8ee09 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076f8efc9 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076f8efcd 2 bytes [02, 71] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076f912a5 6 bytes JMP 7148000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076f9291f 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SetParent 0000000076f92d64 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076f92d68 2 bytes [11, 71] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076f92da4 6 bytes {JMP QWORD [RIP+0x70f9001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076f93698 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076f9369c 2 bytes [0E, 71] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076f93baa 6 bytes JMP 714b000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076f93c61 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076f96110 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076f9612e 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076f96c30 6 bytes {JMP QWORD [RIP+0x70ff001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076f97603 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076f97668 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076f976e0 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076f9781f 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076f9835c 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076f9c4b6 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076f9c4ba 2 bytes [0B, 71] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076fac112 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076fad0f5 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076faeb96 6 bytes {JMP QWORD [RIP+0x7117001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076faec68 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076faec6c 2 bytes [1D, 71] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SendInput 0000000076faff4a 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076faff4e 2 bytes [20, 71] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076fc9f1d 6 bytes {JMP QWORD [RIP+0x7105001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076fd1497 6 bytes {JMP QWORD [RIP+0x70f6001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076fe027b 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076fe02bf 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076fe6cfc 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076fe6d5d 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076fe7dd7 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076fe7ddb 2 bytes [08, 71] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076fe88eb 3 bytes [FF, 25, 1E] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076fe88ef 2 bytes [14, 71] .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077429d0b 6 bytes JMP 7199000a .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075ac9708 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe[2592] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075ccb4d1 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077cafa40 5 bytes JMP 00000001028524c9 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes [B7, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes [D8, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes [C3, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077cafd98 5 bytes JMP 000000010285253b .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes [C9, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes [C0, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes [CC, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077caffec 5 bytes JMP 0000000102851acb .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 6 bytes JMP 0000000102851b0c .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077cb0068 5 bytes JMP 0000000102851b55 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes [B1, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes [F6, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes [D5, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes [ED, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes [E7, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes [EA, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes [BD, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes [B4, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077cb091c 5 bytes JMP 0000000102851a79 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes [D2, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes [BA, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes [CF, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes [DE, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes [DB, 70] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757e3bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000757e3bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757e9aa4 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000757f3b62 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757fccd1 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007584dbde 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007584dc81 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3076] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 000000007584dc85 2 bytes [7D, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077cafa40 5 bytes JMP 00000001024824c9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes [D8, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077cafd98 5 bytes JMP 000000010248253b .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes [C0, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077caffec 5 bytes JMP 0000000102481acb .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 6 bytes JMP 0000000102481b0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077cb0068 5 bytes JMP 0000000102481b55 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70b2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70b2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes [D5, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes [ED, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes [E7, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes [BD, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077cb091c 5 bytes JMP 0000000102481a79 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes [D2, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes [BA, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes [CF, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes [DE, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes [DB, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757e3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000757e3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757e9aa4 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000757f3b62 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757fccd1 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007584dbde 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007584dc81 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 000000007584dc85 2 bytes [7D, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007739f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000773a2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077429d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771a58b3 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771a5ea6 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771a7bcc 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771ab895 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771ac332 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771acbfb 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771ae743 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000771d4857 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076f88332 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076f88bff 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076f890d3 6 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076f89679 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076f897d2 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f8ee09 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076f8efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076f8efcd 2 bytes [08, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076f912a5 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076f9291f 6 bytes {JMP QWORD [RIP+0x7120001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SetParent 0000000076f92d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076f92d68 2 bytes [17, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076f92da4 6 bytes {JMP QWORD [RIP+0x70ff001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076f93698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076f9369c 2 bytes [14, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076f93baa 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076f93c61 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076f96110 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076f9612e 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076f96c30 6 bytes {JMP QWORD [RIP+0x7105001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076f97603 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076f97668 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076f976e0 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076f9781f 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076f9835c 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076f9c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076f9c4ba 2 bytes [11, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076fac112 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076fad0f5 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076faeb96 6 bytes {JMP QWORD [RIP+0x711d001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076faec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076faec6c 2 bytes [23, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SendInput 0000000076faff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076faff4e 2 bytes [26, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076fc9f1d 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076fd1497 6 bytes {JMP QWORD [RIP+0x70fc001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076fe027b 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076fe02bf 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076fe6cfc 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076fe6d5d 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076fe7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076fe7ddb 2 bytes [0E, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076fe88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076fe88ef 2 bytes [1A, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075ac9708 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3084] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075ccb4d1 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077cafa40 5 bytes JMP 00000001033224c9 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes [D8, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077cafd98 5 bytes JMP 000000010332253b .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes [C9, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes [C0, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes [CC, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077caffec 5 bytes JMP 0000000103321acb .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 6 bytes JMP 0000000103321b0c .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077cb0068 5 bytes JMP 0000000103321b55 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes [B1, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes [F6, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes [D5, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes [ED, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes [F3, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes [E7, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes [EA, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes [BD, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes [B4, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077cb091c 5 bytes JMP 0000000103321a79 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes [D2, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes [BA, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes [CF, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes [DE, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes [DB, 70] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757e3bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000757e3bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757e9aa4 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000757f3b62 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757fccd1 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007584dbde 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007584dc81 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 000000007584dc85 2 bytes [7D, 71] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771a58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771a5ea6 6 bytes JMP 7172000a .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771a7bcc 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771ab895 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771ac332 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771acbfb 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771ae743 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3100] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000771d4857 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077cafa40 5 bytes JMP 00000001055624c9 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes [D8, 70] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077cafd98 5 bytes JMP 000000010556253b .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes [C0, 70] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077caffec 5 bytes JMP 0000000105561acb .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 6 bytes JMP 0000000105561b0c .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077cb0068 5 bytes JMP 0000000105561b55 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70b2000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70b2000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes [F6, 70] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes [D5, 70] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes [ED, 70] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes [E7, 70] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes [BD, 70] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077cb091c 5 bytes JMP 0000000105561a79 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes [D2, 70] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes [BA, 70] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes [CF, 70] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes [DE, 70] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes [DB, 70] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757e3bbb 3 bytes JMP 719c000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000757e3bbf 2 bytes JMP 719c000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757e9aa4 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000757f3b62 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757fccd1 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007584dbde 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007584dc81 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 000000007584dc85 2 bytes [7D, 71] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007739f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000773a2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076f88332 6 bytes JMP 7154000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076f88bff 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076f890d3 6 bytes JMP 7103000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076f89679 6 bytes JMP 7142000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076f897d2 6 bytes JMP 713c000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f8ee09 6 bytes JMP 715a000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076f8efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076f8efcd 2 bytes [08, 71] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076f912a5 6 bytes JMP 714e000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076f9291f 6 bytes JMP 7121000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SetParent 0000000076f92d64 3 bytes JMP 7118000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076f92d68 2 bytes JMP 7118000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076f92da4 6 bytes JMP 7100000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076f93698 3 bytes JMP 7115000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076f9369c 2 bytes JMP 7115000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076f93baa 6 bytes JMP 7151000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076f93c61 6 bytes JMP 714b000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076f96110 6 bytes JMP 7157000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076f9612e 6 bytes JMP 7145000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076f96c30 6 bytes {JMP QWORD [RIP+0x7105001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076f97603 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076f97668 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076f976e0 6 bytes JMP 7136000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076f9781f 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076f9835c 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076f9c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076f9c4ba 2 bytes [11, 71] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076fac112 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076fad0f5 6 bytes JMP 712a000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076faeb96 6 bytes JMP 711e000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076faec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076faec6c 2 bytes [23, 71] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SendInput 0000000076faff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076faff4e 2 bytes [26, 71] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076fc9f1d 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076fd1497 6 bytes {JMP QWORD [RIP+0x70fc001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076fe027b 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076fe02bf 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076fe6cfc 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076fe6d5d 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076fe7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076fe7ddb 2 bytes [0E, 71] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076fe88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076fe88ef 2 bytes [1A, 71] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771a58b3 6 bytes JMP 718d000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771a5ea6 6 bytes JMP 7172000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771a7bcc 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771ab895 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771ac332 6 bytes JMP 716f000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771acbfb 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771ae743 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000771d4857 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\SHELL32.dll!SHFileOperationW 0000000075ac9708 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 0000000075ccb4d1 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077429d0b 6 bytes JMP 7199000a .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077601465 2 bytes [60, 77] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776014bb 2 bytes [60, 77] .text ... * 2 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3504] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3504] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3504] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x21a440]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3504] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3504] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3504] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3504] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes {JMP QWORD [RIP+0x394638]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3504] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x233750]} .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077cafa40 5 bytes JMP 0000000107e824c9 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70be000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70be000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes [DE, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077cafd98 5 bytes JMP 0000000107e8253b .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes [CF, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes [C6, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes [D2, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077caffec 5 bytes JMP 0000000107e81acb .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 6 bytes JMP 0000000107e81b0c .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077cb0068 5 bytes JMP 0000000107e81b55 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes [FC, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 7100000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes [DB, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes [F3, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes [F9, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes [ED, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes [F0, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes [C3, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077cb091c 5 bytes JMP 0000000107e81a79 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes [D8, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes [C0, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes [D5, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes [E4, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes [E1, 70] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757e3bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000757e3bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757e9aa4 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000757f3b62 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757fccd1 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007584dbde 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007584dc81 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 000000007584dc85 2 bytes [7D, 71] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007739f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3612] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000773a2c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes [B7, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes [D8, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes [C9, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes [C0, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes [E4, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70b2000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70b2000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes [F6, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes [D5, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes [ED, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes [E7, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes [BD, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes [B4, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes [D2, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes [BA, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes [CF, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes [DE, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes [DB, 70] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757e3bbb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000757e3bbf 2 bytes [9B, 71] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757e9aa4 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000757f3b62 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757fccd1 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007584dbde 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007584dc81 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 000000007584dc85 2 bytes [7D, 71] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007739f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000773a2c9e 4 bytes CALL 71ac0000 .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8c7e8e0]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8b3e320]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL 9000027 .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x21a440]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes {JMP QWORD [RIP+0x394638]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x233750]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\SearchIndexer.exe[4120] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\igfxEM.exe[4416] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\igfxEM.exe[4416] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\igfxEM.exe[4416] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x21a440]} .text C:\Windows\system32\igfxEM.exe[4416] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\igfxEM.exe[4416] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\igfxEM.exe[4416] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\igfxEM.exe[4416] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes {JMP QWORD [RIP+0x3a4638]} .text C:\Windows\system32\igfxEM.exe[4416] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x383750]} .text C:\Windows\system32\igfxTray.exe[4432] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\igfxTray.exe[4432] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\igfxTray.exe[4432] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x21a440]} .text C:\Windows\system32\igfxTray.exe[4432] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\igfxTray.exe[4432] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\igfxTray.exe[4432] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\igfxTray.exe[4432] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes JMP 3a46a0 .text C:\Windows\system32\igfxTray.exe[4432] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x383750]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x8cdea50]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x8c9ea10]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x8afe900]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x8c7e8e0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x8cbe830]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x8ade3b0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x8b3e320]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL 9000027 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x21a440]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x233750]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[688] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x894c520]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 0000000077b01370 6 bytes {JMP QWORD [RIP+0x861ecc0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x88fec90]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x951ebc0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077b014d0 6 bytes {JMP QWORD [RIP+0x85feb60]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 0000000077b014e0 6 bytes {JMP QWORD [RIP+0x885eb50]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x940eac0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x883ea50]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x87dea10]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 0000000077b01640 6 bytes {JMP QWORD [RIP+0x887e9f0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b016b0 6 bytes {JMP QWORD [RIP+0x869e980]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x94be970]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x867e900]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x87be8e0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x938e8a0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x93ae850]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x881e830]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x85be640]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x859e630]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x85de530]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x877e460]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x86be420]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x863e3b0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077b01c90 6 bytes {JMP QWORD [RIP+0x87fe3a0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x873e380]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x86fe320]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x94de310]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x953e300]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 0000000077b01d90 6 bytes {JMP QWORD [RIP+0x879e2a0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x943df90]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x94fdf00]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b02190 6 bytes {JMP QWORD [RIP+0x88bdea0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b021a0 6 bytes {JMP QWORD [RIP+0x889de90]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b021d0 6 bytes {JMP QWORD [RIP+0x86dde60]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b02240 6 bytes {JMP QWORD [RIP+0x865ddf0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b02290 6 bytes {JMP QWORD [RIP+0x871dda0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 0000000077b027a0 6 bytes {JMP QWORD [RIP+0x875d890]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x945d690]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000077b029c0 6 bytes {JMP QWORD [RIP+0x88dd670]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x93cd610]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x93ed590]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000778962e0 6 bytes {JMP QWORD [RIP+0x8789d50]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x8fde7a0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 00000000778a3a20 6 bytes {JMP QWORD [RIP+0x87dc610]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x8f324b0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000779116e0 6 bytes {JMP QWORD [RIP+0x872e950]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8f00ba0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x8f40b70]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x8ee09a0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x8f1abd0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd978ef1 5 bytes {JMP QWORD [RIP+0xb7140]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL 9000027 .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefefc687c 6 bytes {JMP QWORD [RIP+0x1997b4]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefefc8e30 6 bytes {JMP QWORD [RIP+0x217200]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefefc995c 4 bytes [FF, 25, D4, 66] .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName + 5 000007fefefc9961 1 byte [00] .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefefc99e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefefc9ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefefca51c 6 bytes {JMP QWORD [RIP+0x175b14]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefefca530 6 bytes {JMP QWORD [RIP+0x155b00]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefefca5b0 5 bytes JMP 1000c .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefefca5c4 6 bytes {JMP QWORD [RIP+0x135a6c]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefefcbb28 6 bytes {JMP QWORD [RIP+0x1b4508]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefefcbb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[3928] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefefcbb40 2 bytes [1D, 00] .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff953e80 6 bytes {JMP QWORD [RIP+0x6cc1b0]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x42dd64]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x44db70]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x3e7c98]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x3c7658]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x406cec]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes {JMP QWORD [RIP+0x4a4638]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x483750]} .text C:\Windows\system32\svchost.exe[3928] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\svchost.exe[3928] c:\windows\system32\SspiCli.dll!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x894c520]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyPort 0000000077b01370 6 bytes {JMP QWORD [RIP+0x861ecc0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x88fec90]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x951ebc0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077b014d0 6 bytes {JMP QWORD [RIP+0x85feb60]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 0000000077b014e0 6 bytes {JMP QWORD [RIP+0x885eb50]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x940eac0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes {JMP QWORD [RIP+0x883ea50]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes {JMP QWORD [RIP+0x87dea10]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtFsControlFile 0000000077b01640 6 bytes {JMP QWORD [RIP+0x887e9f0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b016b0 6 bytes {JMP QWORD [RIP+0x869e980]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x94be970]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes {JMP QWORD [RIP+0x867e900]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes {JMP QWORD [RIP+0x87be8e0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x938e8a0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x93ae850]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes {JMP QWORD [RIP+0x881e830]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x85be640]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x859e630]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x85de530]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x877e460]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x86be420]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes {JMP QWORD [RIP+0x863e3b0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077b01c90 6 bytes {JMP QWORD [RIP+0x87fe3a0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x873e380]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes {JMP QWORD [RIP+0x86fe320]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x94de310]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x953e300]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateWaitablePort 0000000077b01d90 6 bytes {JMP QWORD [RIP+0x879e2a0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x943df90]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x94fdf00]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b02190 6 bytes {JMP QWORD [RIP+0x88bdea0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b021a0 6 bytes {JMP QWORD [RIP+0x889de90]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b021d0 6 bytes {JMP QWORD [RIP+0x86dde60]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b02240 6 bytes {JMP QWORD [RIP+0x865ddf0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b02290 6 bytes {JMP QWORD [RIP+0x871dda0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 0000000077b027a0 6 bytes {JMP QWORD [RIP+0x875d890]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x945d690]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000077b029c0 6 bytes {JMP QWORD [RIP+0x88dd670]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x93cd610]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x93ed590]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringW 00000000778962e0 6 bytes {JMP QWORD [RIP+0x8789d50]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x8fde7a0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\kernel32.dll!RegOpenKeyExW 00000000778a3a20 6 bytes {JMP QWORD [RIP+0x87dc610]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x8f324b0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\kernel32.dll!GetPrivateProfileStringA 00000000779116e0 6 bytes {JMP QWORD [RIP+0x872e950]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8f00ba0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x8f40b70]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x8ee09a0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x8f1abd0]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 000007fefd978ef1 5 bytes {JMP QWORD [RIP+0xb7140]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0C] .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\sechost.dll!SetServiceStatus 000007fefefc687c 6 bytes {JMP QWORD [RIP+0x1997b4]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\sechost.dll!I_ScValidatePnPService 000007fefefc8e30 6 bytes JMP 430000 .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName 000007fefefc995c 4 bytes [FF, 25, D4, 66] .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\sechost.dll!I_ScPnPGetServiceName + 5 000007fefefc9961 1 byte [00] .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherA 000007fefefc99e4 6 bytes {JMP QWORD [RIP+0x5664c]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\sechost.dll!StartServiceCtrlDispatcherW 000007fefefc9ac8 6 bytes {JMP QWORD [RIP+0x36568]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerW 000007fefefca51c 6 bytes {JMP QWORD [RIP+0x175b14]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerA 000007fefefca530 6 bytes {JMP QWORD [RIP+0x155b00]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExW 000007fefefca5b0 5 bytes [FF, 25, 80, 5A, 07] .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\sechost.dll!RegisterServiceCtrlHandlerExA 000007fefefca5c4 6 bytes {JMP QWORD [RIP+0x135a6c]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChange 000007fefefcbb28 6 bytes {JMP QWORD [RIP+0x1b4508]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA 000007fefefcbb3c 3 bytes [FF, 25, F4] .text C:\Windows\system32\svchost.exe[3464] C:\Windows\SYSTEM32\sechost.dll!NotifyServiceStatusChangeA + 4 000007fefefcbb40 2 bytes [1D, 00] .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x42dd64]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x44db70]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x46a440]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x3e7c98]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x406cec]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes {JMP QWORD [RIP+0x4a4638]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x483750]} .text C:\Windows\system32\svchost.exe[3464] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\svchost.exe[3464] c:\windows\system32\SspiCli.dll!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 12 bytes {MOV RAX, 0x24dfb7c; JMP RAX} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\kernel32.dll!CreateProcessW + 1 00000000778b0651 8 bytes [B8, 10, FB, 4D, 02, 00, 00, ...] .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\kernel32.dll!CreateProcessW + 10 00000000778b065a 2 bytes {JMP RAX} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL b91a7400 .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes JMP 83485540 .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes JMP 53 .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd671d90 12 bytes {MOV RAX, 0x24dfc9c; JMP RAX} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\conhost.exe[3720] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd685444 12 bytes {MOV RAX, 0x24dfbfc; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey 0000000077b013d0 6 bytes [48, B8, 4C, 1B, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 8 0000000077b013d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077b01480 6 bytes [48, B8, 84, 1B, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey + 8 0000000077b01488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes [48, B8, 60, 16, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077b015e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes [48, B8, D4, 13, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077b01628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000077b01680 6 bytes [48, B8, 60, 18, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000077b01688 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b016b0 6 bytes [48, B8, 50, 0D, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077b016b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes [48, B8, 2C, 0C, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077b01738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes [48, B8, 90, 12, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077b01758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes [48, B8, FC, 13, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077b01808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject 0000000077b01830 6 bytes [48, B8, 04, 0C, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject + 8 0000000077b01838 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b01c20 6 bytes [48, B8, 30, 1A, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 8 0000000077b01c28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent 0000000077b01c60 6 bytes [48, B8, 78, 0D, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent + 8 0000000077b01c68 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes [48, B8, BC, 0E, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077b01c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077b01c90 6 bytes [48, B8, C0, 14, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077b01c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes [48, B8, 00, 10, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077b01d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b01d40 6 bytes [48, B8, 4C, 11, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 8 0000000077b01d48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077b01e00 6 bytes [48, B8, A4, 17, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077b01e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b021e0 6 bytes [48, B8, 4C, 1B, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 8 0000000077b021e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx 0000000077b02200 6 bytes [48, B8, DC, 1C, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx + 8 0000000077b02208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent 0000000077b02230 6 bytes [48, B8, 94, 0E, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent + 8 0000000077b02238 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b02240 6 bytes [48, B8, D8, 0F, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077b02248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b02290 6 bytes [48, B8, 24, 11, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077b02298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject 0000000077b022b0 6 bytes [48, B8, E0, 0B, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject + 8 0000000077b022b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b022d0 6 bytes [48, B8, 68, 12, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 8 0000000077b022d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000077b02410 6 bytes [48, B8, 48, 19, 46, 02] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000077b02418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 12 bytes {MOV RAX, 0x2461d7c; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\kernel32.dll!CreateProcessW + 1 00000000778b0651 8 bytes [B8, 10, 1D, 46, 02, 00, 00, ...] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\kernel32.dll!CreateProcessW + 10 00000000778b065a 2 bytes {JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL 438d48ca .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes JMP 0 .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes JMP 0 .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes JMP 0 .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes {JMP QWORD [RIP+0x3b4638]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x393750]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes JMP 0 .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\SspiCli.dll!FreeCredentialsHandle 000007fefd671d90 12 bytes {MOV RAX, 0x2461e9c; JMP RAX} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0xaaf90]} .text C:\Windows\system32\msiexec.exe[7968] C:\Windows\system32\SspiCli.dll!AcquireCredentialsHandleA 000007fefd685444 12 bytes {MOV RAX, 0x2461dfc; JMP RAX} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 12 bytes {MOV RAX, 0x24d6c3c; JMP RAX} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\kernel32.dll!CreateProcessW + 1 00000000778b0651 8 bytes [B8, D0, 6B, 4D, 02, 00, 00, ...] .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\kernel32.dll!CreateProcessW + 10 00000000778b065a 2 bytes {JMP RAX} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL b91a7400 .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x21a440]} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes JMP a215 .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes {JMP QWORD [RIP+0x394638]} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x233750]} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd671d90 12 bytes {MOV RAX, 0x24d6d5c; JMP RAX} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\conhost.exe[1084] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd685444 12 bytes {MOV RAX, 0x24d6cbc; JMP RAX} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 12 bytes {MOV RAX, 0x24d5abc; JMP RAX} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\kernel32.dll!CreateProcessW + 1 00000000778b0651 8 bytes [B8, 50, 5A, 4D, 02, 00, 00, ...] .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\kernel32.dll!CreateProcessW + 10 00000000778b065a 2 bytes {JMP RAX} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL b91a7400 .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes JMP 697c .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x21a440]} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes JMP 8348ffff .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes JMP 8f1511a7 .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x233750]} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes JMP 0 .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd671d90 12 bytes {MOV RAX, 0x24d5bdc; JMP RAX} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\conhost.exe[7808] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd685444 12 bytes {MOV RAX, 0x24d5b3c; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077ad3b10 6 bytes {JMP QWORD [RIP+0x856c520]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b013a0 6 bytes {JMP QWORD [RIP+0x851ec90]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey 0000000077b013d0 6 bytes [48, B8, CC, C6, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 8 0000000077b013d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b01470 6 bytes {JMP QWORD [RIP+0x8d5ebc0]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077b01480 6 bytes [48, B8, 04, C7, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey + 8 0000000077b01488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b01570 6 bytes {JMP QWORD [RIP+0x8bfeac0]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b015e0 6 bytes [48, B8, E0, C1, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077b015e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b01620 6 bytes [48, B8, 54, BF, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077b01628 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000077b01680 6 bytes [48, B8, E0, C3, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000077b01688 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b016b0 3 bytes [48, B8, D0] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 4 0000000077b016b4 2 bytes [5A, 02] .text ... * 2 .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b016c0 6 bytes {JMP QWORD [RIP+0x8cfe970]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b01730 6 bytes [48, B8, AC, B7, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077b01738 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b01750 6 bytes [48, B8, 10, BE, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077b01758 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b01790 6 bytes {JMP QWORD [RIP+0x8b7e8a0]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b017e0 6 bytes {JMP QWORD [RIP+0x8b9e850]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b01800 6 bytes [48, B8, 7C, BF, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077b01808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject 0000000077b01830 6 bytes [48, B8, 84, B7, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject + 8 0000000077b01838 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b019f0 6 bytes {JMP QWORD [RIP+0x8d9e640]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b01a00 6 bytes {JMP QWORD [RIP+0x8abe630]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b01b00 6 bytes {JMP QWORD [RIP+0x8a9e530]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b01bd0 6 bytes {JMP QWORD [RIP+0x8c1e460]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b01c10 6 bytes {JMP QWORD [RIP+0x8b1e420]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b01c20 6 bytes [48, B8, B0, C5, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 8 0000000077b01c28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent 0000000077b01c60 3 bytes [48, B8, F8] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent + 4 0000000077b01c64 2 bytes [5A, 02] .text ... * 2 .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b01c80 6 bytes [48, B8, 3C, BA, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077b01c88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077b01c90 6 bytes [48, B8, 40, C0, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077b01c98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b01cb0 6 bytes {JMP QWORD [RIP+0x8b5e380]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b01d10 6 bytes [48, B8, 80, BB, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077b01d18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b01d20 6 bytes {JMP QWORD [RIP+0x8d1e310]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b01d30 6 bytes {JMP QWORD [RIP+0x8d7e300]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b01d40 6 bytes [48, B8, CC, BC, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 8 0000000077b01d48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077b01e00 6 bytes [48, B8, 24, C3, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077b01e08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b020a0 6 bytes {JMP QWORD [RIP+0x8c3df90]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b02130 6 bytes {JMP QWORD [RIP+0x8d3df00]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b021e0 6 bytes [48, B8, CC, C6, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 8 0000000077b021e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx 0000000077b02200 6 bytes [48, B8, 5C, C8, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx + 8 0000000077b02208 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent 0000000077b02230 6 bytes [48, B8, 14, BA, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent + 8 0000000077b02238 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b02240 6 bytes [48, B8, 58, BB, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077b02248 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b02290 6 bytes [48, B8, A4, BC, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077b02298 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject 0000000077b022b0 6 bytes [48, B8, 60, B7, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject + 8 0000000077b022b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b022d0 6 bytes [48, B8, E8, BD, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 8 0000000077b022d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000077b02410 6 bytes [48, B8, C8, C4, 5A, 02] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000077b02418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b029a0 6 bytes {JMP QWORD [RIP+0x8c5d690]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b02a20 6 bytes {JMP QWORD [RIP+0x8bbd610]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b02aa0 6 bytes {JMP QWORD [RIP+0x8bdd590]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 12 bytes {MOV RAX, 0x25ac8fc; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\kernel32.dll!CreateProcessW + 1 00000000778b0651 8 bytes [B8, 90, C8, 5A, 02, 00, 00, ...] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\kernel32.dll!CreateProcessW + 10 00000000778b065a 2 bytes {JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes CALL b91a7400 .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes JMP 41f600b .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x21a440]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes JMP c35d20c4 .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes JMP 6e006e .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes JMP e818 .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes JMP 0 .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes JMP 41207889 .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefd671d90 12 bytes {MOV RAX, 0x25aca1c; JMP RAX} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\cmd.exe[6560] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefd685444 12 bytes {MOV RAX, 0x25ac97c; JMP RAX} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes {JMP QWORD [RIP+0x1ddd64]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes {JMP QWORD [RIP+0x1fdb70]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes {JMP QWORD [RIP+0x21a440]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes {JMP QWORD [RIP+0x394638]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes {JMP QWORD [RIP+0x233750]} .text C:\Windows\system32\conhost.exe[7876] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes {JMP QWORD [RIP+0x208ba0]} .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000778a1890 6 bytes {JMP QWORD [RIP+0x885e7a0]} .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000778adb80 6 bytes {JMP QWORD [RIP+0x87b24b0]} .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 000000007791f490 6 bytes {JMP QWORD [RIP+0x8780ba0]} .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 000000007791f4c0 6 bytes {JMP QWORD [RIP+0x87c0b70]} .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 000000007791f690 6 bytes {JMP QWORD [RIP+0x87609a0]} .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000077925460 6 bytes {JMP QWORD [RIP+0x879abd0]} .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd979055 3 bytes [B5, 6F, 06] .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9853c0 5 bytes [FF, 25, 70, AC, 0A] .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\GDI32.dll!DeleteDC 000007feffc722cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\GDI32.dll!BitBlt 000007feffc724c0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\GDI32.dll!MaskBlt 000007feffc75bf0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\GDI32.dll!CreateDCW 000007feffc78398 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\GDI32.dll!CreateDCA 000007feffc789d8 6 bytes {JMP QWORD [RIP+0x177658]} .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\GDI32.dll!GetPixel 000007feffc79344 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\GDI32.dll!StretchBlt 000007feffc7b9f8 6 bytes {JMP QWORD [RIP+0x394638]} .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\GDI32.dll!PlgBlt 000007feffc7c8e0 6 bytes JMP 6f0043 .text C:\Windows\System32\svchost.exe[8160] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd67490 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[8160] C:\Windows\System32\SspiCli.dll!EncryptMessage 000007fefd6750a0 6 bytes {JMP QWORD [RIP+0x6af90]} .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077caf9e0 3 bytes JMP 71af000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077caf9e4 2 bytes JMP 71af000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077cafb28 3 bytes JMP 70be000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077cafb2c 2 bytes JMP 70be000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077cafcb0 3 bytes JMP 70df000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077cafcb4 2 bytes JMP 70df000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077cafd64 3 bytes JMP 70ca000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077cafd68 2 bytes JMP 70ca000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077cafdc8 3 bytes JMP 70d0000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077cafdcc 2 bytes JMP 70d0000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077cafec0 3 bytes JMP 70c7000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077cafec4 2 bytes JMP 70c7000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077caff74 3 bytes JMP 70f7000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077caff78 2 bytes JMP 70f7000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077caffa4 3 bytes JMP 70d3000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077caffa8 2 bytes JMP 70d3000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077cb0004 3 bytes JMP 70eb000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077cb0008 2 bytes JMP 70eb000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077cb0084 3 bytes JMP 70e8000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077cb0088 2 bytes JMP 70e8000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077cb00b4 3 bytes JMP 70cd000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077cb00b8 2 bytes JMP 70cd000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077cb03b8 3 bytes JMP 70b8000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077cb03bc 2 bytes JMP 70b8000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077cb03d0 3 bytes JMP 70fd000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077cb03d4 2 bytes JMP 70fd000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077cb0550 3 bytes JMP 7100000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077cb0554 2 bytes JMP 7100000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077cb0694 3 bytes JMP 70dc000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077cb0698 2 bytes JMP 70dc000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077cb06f4 3 bytes JMP 70f4000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077cb06f8 2 bytes JMP 70f4000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077cb079c 3 bytes JMP 70fa000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077cb07a0 2 bytes JMP 70fa000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077cb07e4 3 bytes JMP 70ee000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077cb07e8 2 bytes JMP 70ee000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077cb0874 3 bytes JMP 70f1000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077cb0878 2 bytes JMP 70f1000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077cb088c 3 bytes JMP 70c4000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077cb0890 2 bytes JMP 70c4000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077cb08a4 3 bytes JMP 70bb000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077cb08a8 2 bytes JMP 70bb000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077cb0df4 3 bytes JMP 70d9000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077cb0df8 2 bytes JMP 70d9000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077cb0ed8 3 bytes JMP 70c1000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077cb0edc 2 bytes JMP 70c1000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077cb1be4 3 bytes JMP 70d6000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077cb1be8 2 bytes JMP 70d6000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077cb1cb4 3 bytes JMP 70e5000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077cb1cb8 2 bytes JMP 70e5000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077cb1d8c 3 bytes JMP 70e2000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077cb1d90 2 bytes JMP 70e2000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077cd1287 6 bytes JMP 71a8000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000757e3bbb 3 bytes JMP 719c000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000757e3bbf 2 bytes JMP 719c000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000757e9aa4 6 bytes JMP 7184000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000757f3b62 6 bytes JMP 717b000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000757fccd1 6 bytes JMP 7187000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007584dbde 6 bytes JMP 7181000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007584dc81 3 bytes JMP 717e000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW + 4 000000007584dc85 2 bytes JMP 717e000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007739f784 6 bytes JMP 719f000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000773a2c9e 4 bytes CALL 71ac0000 .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076f88332 6 bytes JMP 715a000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076f88bff 6 bytes JMP 714e000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076f890d3 6 bytes JMP 7109000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076f89679 6 bytes JMP 7148000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000076f897d2 6 bytes JMP 7142000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f8ee09 6 bytes JMP 7160000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000076f8efc9 3 bytes JMP 710f000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000076f8efcd 2 bytes JMP 710f000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076f912a5 6 bytes JMP 7154000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076f9291f 6 bytes JMP 7127000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SetParent 0000000076f92d64 3 bytes JMP 711e000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076f92d68 2 bytes JMP 711e000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076f92da4 6 bytes JMP 7106000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076f93698 3 bytes JMP 711b000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000076f9369c 2 bytes JMP 711b000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076f93baa 6 bytes JMP 7157000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076f93c61 6 bytes JMP 7151000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076f96110 6 bytes JMP 715d000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076f9612e 6 bytes JMP 714b000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076f96c30 6 bytes JMP 710c000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076f97603 6 bytes JMP 7163000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076f97668 6 bytes JMP 7136000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000076f976e0 6 bytes JMP 713c000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000076f9781f 6 bytes JMP 7145000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076f9835c 6 bytes JMP 7166000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000076f9c4b6 3 bytes JMP 7118000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000076f9c4ba 2 bytes JMP 7118000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000076fac112 6 bytes JMP 7133000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000076fad0f5 6 bytes JMP 7130000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076faeb96 6 bytes JMP 7124000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076faec68 3 bytes JMP 712a000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000076faec6c 2 bytes JMP 712a000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SendInput 0000000076faff4a 3 bytes JMP 712d000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076faff4e 2 bytes JMP 712d000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076fc9f1d 6 bytes JMP 7112000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076fd1497 6 bytes JMP 7103000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076fe027b 6 bytes JMP 7169000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076fe02bf 6 bytes JMP 716c000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076fe6cfc 6 bytes JMP 713f000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076fe6d5d 6 bytes JMP 7139000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076fe7dd7 3 bytes JMP 7115000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076fe7ddb 2 bytes JMP 7115000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076fe88eb 3 bytes JMP 7121000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000076fe88ef 2 bytes JMP 7121000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000771a58b3 6 bytes JMP 718d000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000771a5ea6 6 bytes JMP 7178000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000771a7bcc 6 bytes JMP 7196000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000771ab895 6 bytes JMP 716f000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000771ac332 6 bytes JMP 7175000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000771acbfb 6 bytes JMP 7190000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000771ae743 6 bytes JMP 7193000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000771d4857 6 bytes JMP 7172000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007565124e 6 bytes JMP 718a000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077429d0b 6 bytes JMP 7199000a .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077601465 2 bytes [60, 77] .text C:\GMER\yyd1x589.exe[1172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776014bb 2 bytes [60, 77] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Explorer.EXE [1836:2708] 0000000003128560 Thread C:\Windows\Explorer.EXE [1836:2712] 0000000003128560 Thread C:\Windows\Explorer.EXE [1836:2728] 0000000003128560 Thread C:\Windows\Explorer.EXE [1836:2732] 0000000003128560 Thread C:\Windows\Explorer.EXE [1836:2736] 0000000003128560 Thread C:\Windows\Explorer.EXE [1836:2740] 0000000003128560 Thread C:\Windows\Explorer.EXE [1836:2744] 0000000003128560 Thread C:\Windows\Explorer.EXE [1836:2764] 0000000003128560 Thread C:\Windows\Explorer.EXE [1836:2096] 0000000003128560 Thread C:\Windows\Explorer.EXE [1836:2104] 0000000003128560 Thread C:\Windows\Explorer.EXE [1836:2216] 0000000003128560 Thread C:\Windows\Explorer.EXE [1836:2276] 0000000003128560 Thread C:\Windows\SysWOW64\EXPLORER.exe [4288:4392] 0000000002b109b0 Thread C:\Windows\SysWOW64\EXPLORER.exe [4288:4396] 0000000002b12d23 Thread C:\Windows\SysWOW64\EXPLORER.exe [4288:4400] 0000000002b10c2b Thread C:\Windows\system32\taskhost.exe [3112:3948] 00000000025ce780 Thread C:\Windows\system32\dllhost.exe [7480:6900] 000000000222bf80 Thread C:\Windows\system32\dllhost.exe [7480:7964] 000000000010ffb8 Thread C:\Windows\system32\msiexec.exe [6312:7804] 000000000245bf20 Thread C:\Windows\system32\msiexec.exe [6312:668] 00000000000e0638 Thread C:\Windows\system32\msiexec.exe [6300:7736] 00000000024639c0 Thread C:\Windows\system32\msiexec.exe [6300:8156] 00000000000ff1f8 Thread C:\Windows\system32\PresentationHost.exe [3824:6744] 00000000028056e0 Thread C:\Windows\system32\PresentationHost.exe [3824:7500] 00000000001df038 Thread C:\Windows\explorer.exe [4256:8092] 00000000026e6180 Thread C:\Windows\explorer.exe [4256:4956] 000000000004fdb8 Thread C:\Windows\system32\msiexec.exe [8104:7024] 0000000002381da0 Thread C:\Windows\system32\msiexec.exe [8104:7368] 00000000000aeb78 Thread C:\Windows\system32\conhost.exe [7224:6844] 00000000024e1a20 Thread C:\Windows\system32\conhost.exe [7224:3240] 00000000001dfbb8 Thread C:\Windows\system32\conhost.exe [3720:6256] 00000000024e2f40 Thread C:\Windows\system32\conhost.exe [3720:5920] 00000000002206f8 Thread C:\Windows\system32\msiexec.exe [7968:4016] 0000000002465140 Thread C:\Windows\system32\msiexec.exe [7968:2788] 000000000005ecb8 Thread C:\Windows\system32\conhost.exe [1084:3848] 00000000024da000 Thread C:\Windows\system32\conhost.exe [1084:6484] 00000000001100f8 Thread C:\Windows\system32\conhost.exe [7808:7300] 00000000024d8e80 Thread C:\Windows\system32\conhost.exe [7808:7348] 00000000001bfeb8 Thread C:\Windows\system32\cmd.exe [6560:5024] 00000000025afcc0 Thread C:\Windows\system32\cmd.exe [6560:7888] 000000000022ff38 Thread C:\Windows\system32\ctfmon.exe [7560:7768] 00000000021f1300 Thread C:\Windows\system32\ctfmon.exe [7560:7472] 000000000014ed78 ---- Processes - GMER 2.1 ---- Library C:\Users\Ida\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1836] (GG drive menu/GG Network S.A.)(2014-11 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b4b67672595b Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b4b67672595b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Files - GMER 2.1 ---- File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Exam_Tests\Exam_Test_1 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Exam_Tests\Exam_Test_1\Exam_Test_1.doc 1028608 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Exam_Tests\Exam_Test_1\Exam_Test_1_Audio_Script.doc 363520 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Exam_Tests\Exam_Test_1\Exam_Test_1_Key.doc 26624 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Exam_Tests\Exam_Test_2 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Exam_Tests\Exam_Test_2\Exam_Test_2.doc 1093120 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Exam_Tests\Exam_Test_2\Exam_Test_2_Audio_Script.doc 366080 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Exam_Tests\Exam_Test_2\Exam_Test_2_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Exam_Tests\Exam_Test_3 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Exam_Tests\Exam_Test_3\Exam_Test_3.doc 786944 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Exam_Tests\Exam_Test_3\Exam_Test_3_Audio_Script.doc 366592 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Exam_Tests\Exam_Test_3\Exam_Test_3_Key.doc 27136 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_1 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_1\Grammar_Test_1.doc 367104 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_1\Grammar_Test_1_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_10 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_10\Grammar_Test_10.doc 367616 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_10\Grammar_Test_10_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_11 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_11\Grammar_Test_11.doc 366080 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_11\Grammar_Test_11_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_12 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_12\Grammar_Test_12.doc 365568 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_12\Grammar_Test_12_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_13 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_13\Grammar_Test_13.doc 370176 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_13\Grammar_Test_13_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_14 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_14\Grammar_Test_14.doc 365568 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_14\Grammar_Test_14_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_15 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_15\Grammar_Test_15.doc 370176 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_15\Grammar_Test_15_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_16 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_16\Grammar_Test_16.doc 366592 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_16\Grammar_Test_16_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_2 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_2\Grammar_Test_2.doc 365568 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_2\Grammar_Test_2_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_2\~$ammar_Test_2.doc 162 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_3 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_3\Grammar_Test_3.doc 368128 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_3\Grammar_Test_3_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_4 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_4\Grammar_Test_4.doc 366080 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_4\Grammar_Test_4_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_5 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_5\Grammar_Test_5.doc 364544 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_5\Grammar_Test_5_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_6 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_6\Grammar_Test_6.doc 364544 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_6\Grammar_Test_6_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_7 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_7\Grammar_Test_7.doc 365568 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_7\Grammar_Test_7_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_8 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_8\Grammar_Test_8.doc 366592 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_8\Grammar_Test_8_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_9 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_9\Grammar_Test_9.doc 367616 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_1-16\Grammar_Test_9\Grammar_Test_9_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_17 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_17\Grammar_Test_17.doc 365568 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_17\Grammar_Test_17_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_18 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_18\Grammar_Test_18.doc 367616 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_18\Grammar_Test_18_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_19 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_19\Grammar_Test_19.doc 368128 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_19\Grammar_Test_19_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_20 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_20\Grammar_Test_20.doc 367616 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_20\Grammar_Test_20_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_21 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_21\Grammar_Test_21.doc 367616 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_21\Grammar_Test_21_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_22 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_22\Grammar_Test_22.doc 368128 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_22\Grammar_Test_22_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_23 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_23\Grammar_Test_23.doc 365056 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_23\Grammar_Test_23_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_24 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_24\Grammar_Test_24.doc 366080 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_24\Grammar_Test_24_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_25 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_25\Grammar_Test_25.doc 365568 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_25\Grammar_Test_25_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_26 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_26\Grammar_Test_26.doc 366080 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_26\Grammar_Test_26_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_27 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_27\Grammar_Test_27.doc 365568 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_27\Grammar_Test_27_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_28 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_28\Grammar_Test_28.doc 367104 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_28\Grammar_Test_28_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_29 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_29\Grammar_Test_29.doc 367616 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_29\Grammar_Test_29_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_30 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_30\Grammar_Test_30.doc 369664 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_30\Grammar_Test_30_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_31 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_31\Grammar_Test_31.doc 367616 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Grammar_Tests_17-31\Grammar_Test_31\Grammar_Test_31_Key.doc 26624 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_1 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_1\Vocabulary_Test_1.doc 369152 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_1\Vocabulary_Test_1_Key.doc 24576 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_10 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_10\Vocabulary_Test_10.doc 367616 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_10\Vocabulary_Test_10_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_11 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_11\Vocabulary_Test_11.doc 369664 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_11\Vocabulary_Test_11_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_12 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_12\Vocabulary_Test_12.doc 367104 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_12\Vocabulary_Test_12_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_13 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_13\Vocabulary_Test_13.doc 368128 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_13\Vocabulary_Test_13_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_14 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_14\Vocabulary_Test_14.doc 368128 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_14\Vocabulary_Test_14_Key.doc 25600 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_2 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_2\Vocabulary_Test_2.doc 373248 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_2\Vocabulary_Test_2_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_3 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_3\Vocabulary_Test_3.doc 375808 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_3\Vocabulary_Test_3_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_4 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_4\Vocabulary_Test_4.doc 377856 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_4\Vocabulary_Test_4_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_5 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_5\Vocabulary_Test_5.doc 368128 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_5\Vocabulary_Test_5_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_6 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_6\Vocabulary_Test_6.doc 367616 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_6\Vocabulary_Test_6_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_7 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_7\Vocabulary_Test_7.doc 368640 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_7\Vocabulary_Test_7_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_8 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_8\Vocabulary_Test_8.doc 368640 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_8\Vocabulary_Test_8_Key.doc 26112 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_9 0 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_9\Vocabulary_Test_9.doc 368128 bytes File C:\Users\Ida\Desktop\Ida\oceny Irzykowskiego inne Irzykowskiego\Irzyka\ksiazki- materialy angielski\Longman Egzamin Gimnazjalny PodrÄ™cznik i Repetytorium z testami - Test Maker\Longman Egzamin Gimnazjalny Podręcznik i Repetytorium z testami - Test Maker\Vocabulary_Tests\Vocabulary_Test_9\Vocabulary_Test_9_Key.doc 25600 bytes ---- EOF - GMER 2.1 ----